← 返回 Skills 市场
MH things-mac
作者
mohdalhashemi98-hue
· GitHub ↗
· v1.0.0
569
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install mh-things-mac
功能描述
Manage Things 3 via the `things` CLI on macOS (add/update projects+todos via URL scheme; read/search/list from the local Things database). Use when a user as...
安全使用建议
This skill appears to do what it says — manage Things 3 via the 'things' CLI — but it requires access to your local Things database and may need you to grant Full Disk Access to the calling app (OpenClaw.app) for gateway/autonomous runs. Before installing/using: 1) Review and trust the upstream repo (github.com/ossianhempel/things3-cli); prefer installing a pinned release instead of '@latest' to avoid pulling unexpected code. 2) Only grant Full Disk Access to OpenClaw.app if you understand and accept that it gives broad filesystem access; if unsure, run the CLI manually from Terminal instead. 3) Treat THINGS_AUTH_TOKEN as a secret: store it securely and only provide it if you need write/update operations. 4) If you are concerned about autonomous agent actions, restrict or disable autonomous invocation for this skill and enable it only when you explicitly want the agent to perform Things operations. 5) Optionally inspect the ThingsData-* path and the CLI locally before permitting gateway access.
功能分析
Type: OpenClaw Skill
Name: mh-things-mac
Version: 1.0.0
The skill is classified as suspicious due to several high-risk capabilities, even though they are plausibly needed for its stated purpose of managing Things 3. The `SKILL.md` instructs OpenClaw to install the `things3-cli` via `go install github.com/ossianhempel/things3-cli/cmd/things@latest`, which introduces a supply chain risk by fetching and executing code from a remote repository. Additionally, the skill explicitly mentions the need to grant 'Full Disk Access' to OpenClaw.app for database reads, which is a broad and high-privilege permission. The skill also involves handling `THINGS_AUTH_TOKEN` for update operations, a sensitive credential. While there is no evidence of intentional malicious behavior (data exfiltration, backdoors, or prompt injection with harmful objectives), these capabilities represent significant vulnerabilities if exploited.
能力评估
Purpose & Capability
Name/description match the requirements: the skill needs the 'things' CLI and offers commands to read the local Things DB and invoke the Things URL scheme. The install spec (go install of github.com/ossianhempel/things3-cli/cmd/things) produces the expected 'things' binary. There are no unrelated binaries or env vars requested.
Instruction Scope
Runtime instructions explicitly direct reading the local Things database (inbox/today/upcoming/search/projects/areas/tags) and recommend granting Full Disk Access to the calling app (Terminal for manual runs; 'OpenClaw.app' for gateway/autonomous runs) if DB reads fail. Reading the ThingsData-* folder and recommending Full Disk Access are coherent with the skill's purpose but are materially elevated privileges (broad filesystem access) and a privacy consideration.
Install Mechanism
Installation uses 'go install' of a public GitHub module (github.com/ossianhempel/things3-cli/cmd/things@latest) to create the 'things' binary. This is a standard mechanism but pulls the 'latest' module source at install time — moderate risk if you don't trust the repo or want deterministic builds. No suspicious download hosts or extract-from-arbitrary-URL behavior present.
Credentials
The registry lists no required env vars. SKILL.md references optional envs: THINGSDB (path to ThingsData-* folder) and THINGS_AUTH_TOKEN (used for updates). These are proportionate: the auth token is only needed for write/update operations; THINGSDB relates to reading the local DB. Still, THINGS_AUTH_TOKEN is sensitive and should be provided/stored securely if used.
Persistence & Privilege
always:false (not force-installed). The skill permits autonomous invocation (disable-model-invocation:false), which is platform default. Combined with the need to read the local Things DB and the instruction to grant Full Disk Access to the gateway app, autonomous invocation increases the potential blast radius — consider enabling only when needed or restricting agent autonomy.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mh-things-mac - 安装完成后,直接呼叫该 Skill 的名称或使用
/mh-things-mac触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Priority upload batch
元数据
常见问题
MH things-mac 是什么?
Manage Things 3 via the `things` CLI on macOS (add/update projects+todos via URL scheme; read/search/list from the local Things database). Use when a user as... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 569 次。
如何安装 MH things-mac?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mh-things-mac」即可一键安装,无需额外配置。
MH things-mac 是免费的吗?
是的,MH things-mac 完全免费(开源免费),可自由下载、安装和使用。
MH things-mac 支持哪些平台?
MH things-mac 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin)。
谁开发了 MH things-mac?
由 mohdalhashemi98-hue(@mohdalhashemi98-hue)开发并维护,当前版本 v1.0.0。
推荐 Skills