The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/send_message.sh constructs AppleScript commands by interpolating the $MESSAGE_TEXT variable directly into a double-quoted string. Because it only escapes single quotes and fails to handle double quotes or AppleScript concatenation characters (like &), an attacker can provide crafted input to execute arbitrary shell commands via do shell script within the AppleScript context.
[DATA_EXFILTRATION]: The skill reads from ~/Library/Messages/chat.db using the scripts/read_messages.sh script. This database is a highly sensitive system file containing the user's entire text message history, including private conversations and multi-factor authentication (MFA) codes. Accessing this data without strict exfiltration controls poses a high risk to user privacy.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted external data.
Ingestion points: Raw message data is ingested from the system's chat.db via scripts/read_messages.sh.
Boundary markers: The skill lacks delimiters or instructions to the agent to ignore embedded commands within the messages it reads.
Capability inventory: The skill includes scripts for reading sensitive databases and executing AppleScript commands that can interact with the host system.
Sanitization: There is no evidence of sanitization or filtering of the message content, which allows malicious instructions received via SMS/iMessage to potentially exploit the command injection vulnerability or redirect agent actions.

text-message