imsg
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill installs a binary from a third-party Homebrew tap:
steipete/tap/imsg. While the author is a reputable developer, the repository is not part of the defined 'Trusted Organizations' list, requiring manual verification of the source. - DATA_EXFILTRATION (MEDIUM): The primary function of this skill is to extract highly sensitive private communication data (iMessages and SMS). The skill explicitly requires 'Full Disk Access', a high-privilege macOS permission. If the agent is compromised or used maliciously, this data could be exfiltrated.
- Indirect Prompt Injection (LOW): The skill processes untrusted external data via
imsg watchandimsg history. - Ingestion points: Incoming messages read via
imsg history --jsonorimsg watch. - Boundary markers: Absent; the skill does not define delimiters to separate message content from agent instructions.
- Capability inventory: Includes the ability to send messages (
imsg send) and read local files for attachments. - Sanitization: Absent; incoming message text is passed directly to the agent without filtering, allowing an external sender to potentially influence agent behavior through a text message.
- COMMAND_EXECUTION (LOW): The skill uses shell commands to interact with the
imsgCLI tool.
Audit Metadata