imsg
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Data Exposure & Exfiltration] (HIGH): The skill is explicitly designed to access and monitor the user's private iMessage and SMS database on macOS using the
imsg historyandimsg watchcommands. This grants the agent access to highly sensitive personal communications. - [Unverifiable Dependencies & Remote Code Execution] (HIGH): The skill initiates the installation of a third-party binary via Homebrew from the repository
steipete/tap/imsg. This source is not part of the established trusted organizations list, posing a significant supply chain risk through the execution of unverified external code. - [Privilege Escalation] (MEDIUM): The skill instructions require the user to grant 'Full Disk Access' and 'Automation' permissions to the terminal. While these are OS-level controls, the skill leverages these elevated privileges to bypass standard sandbox restrictions on sensitive user data.
- [Indirect Prompt Injection] (LOW): The skill creates an attack surface by ingesting untrusted message content from external parties via the watch and history actions.
- Ingestion points:
imsg historyandimsg watchread external message strings. - Boundary markers: Absent; there are no instructions to the agent to treat message content as untrusted data.
- Capability inventory: The agent can execute shell commands via the
imsgCLI and send outgoing messages. - Sanitization: Absent; incoming message content is processed directly in the terminal output.
Recommendations
- AI detected serious security threats
Audit Metadata