✅ MH things-mac — 管理Things任务
v1.0.0在macOS用things CLI管理Things 3:通过URL方案增改项目+待办,读取/搜索/列出本地数据库任务。
0· 526·1 当前·1 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
安全
medium confidenceThe skill's declared purpose (manage Things 3) aligns with the binaries, install step, and runtime instructions — it requires access to your local Things DB and optionally an auth token, which is coherent but carries privacy/privilege implications you should consider before enabling.
评估建议
This skill appears to do what it says — manage Things 3 via the 'things' CLI — but it requires access to your local Things database and may need you to grant Full Disk Access to the calling app (OpenClaw.app) for gateway/autonomous runs. Before installing/using: 1) Review and trust the upstream repo (github.com/ossianhempel/things3-cli); prefer installing a pinned release instead of '@latest' to avoid pulling unexpected code. 2) Only grant Full Disk Access to OpenClaw.app if you understand and a...详细分析 ▾
✓ 用途与能力
Name/description match the requirements: the skill needs the 'things' CLI and offers commands to read the local Things DB and invoke the Things URL scheme. The install spec (go install of github.com/ossianhempel/things3-cli/cmd/things) produces the expected 'things' binary. There are no unrelated binaries or env vars requested.
⚠ 指令范围
Runtime instructions explicitly direct reading the local Things database (inbox/today/upcoming/search/projects/areas/tags) and recommend granting Full Disk Access to the calling app (Terminal for manual runs; 'OpenClaw.app' for gateway/autonomous runs) if DB reads fail. Reading the ThingsData-* folder and recommending Full Disk Access are coherent with the skill's purpose but are materially elevated privileges (broad filesystem access) and a privacy consideration.
ℹ 安装机制
Installation uses 'go install' of a public GitHub module (github.com/ossianhempel/things3-cli/cmd/things@latest) to create the 'things' binary. This is a standard mechanism but pulls the 'latest' module source at install time — moderate risk if you don't trust the repo or want deterministic builds. No suspicious download hosts or extract-from-arbitrary-URL behavior present.
ℹ 凭证需求
The registry lists no required env vars. SKILL.md references optional envs: THINGSDB (path to ThingsData-* folder) and THINGS_AUTH_TOKEN (used for updates). These are proportionate: the auth token is only needed for write/update operations; THINGSDB relates to reading the local DB. Still, THINGS_AUTH_TOKEN is sensitive and should be provided/stored securely if used.
ℹ 持久化与权限
always:false (not force-installed). The skill permits autonomous invocation (disable-model-invocation:false), which is platform default. Combined with the need to read the local Things DB and the instruction to grant Full Disk Access to the gateway app, autonomous invocation increases the potential blast radius — consider enabling only when needed or restricting agent autonomy.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSmacOS
版本
latestv1.0.02026/2/25
Priority upload batch
● 可疑
安装命令
点击复制官方npx clawhub@latest install mh-things-mac
镜像加速npx clawhub@latest install mh-things-mac --registry https://cn.longxiaskill.com