imsg
Warn
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the 'imsg' utility from an external third-party Homebrew tap 'steipete/tap/imsg' which is not on the list of trusted vendors or repositories.
- [DATA_EXFILTRATION]: The skill accesses highly sensitive personal communications stored in the macOS Messages database. This requires the user to grant Full Disk Access to the terminal environment, exposing private message history and attachments.
- [COMMAND_EXECUTION]: The skill executes several bash commands to interact with the iMessage system, including listing chats, fetching history, and sending messages with file attachments.
- [PROMPT_INJECTION]: The skill possesses a significant indirect prompt injection surface because it reads untrusted content from incoming messages. * Ingestion points: 'imsg history' and 'imsg watch' actions in SKILL.md * Boundary markers: Absent; there are no instructions to the agent to distinguish between message content and system instructions * Capability inventory: The agent can send messages and access local file paths via the 'imsg send' command * Sanitization: None; external message content is ingested without filtering or validation.
Audit Metadata