imsg
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
imsgbinary via a third-party Homebrew tap (steipete/tap/imsg). This introduces a dependency on an external maintainer's repository for core functionality. - [COMMAND_EXECUTION]: The skill executes various shell commands (
imsg chats,imsg history,imsg send) to interact with the macOS Messages environment. These commands allow the agent to read and modify local database content. - [DATA_EXFILTRATION]: The skill is designed to read sensitive communications, including message history, chat lists, and attachments. While intended for user assistance, this capability provides access to private personal data that could be exfiltrated if the agent is directed to send this information to an external service.
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface. It reads untrusted data from incoming iMessages and SMS via the
history,chats, andwatchcommands. - Ingestion points: Message content and sender IDs are pulled from
~/Library/Messages/chat.dband displayed to the agent viaimsg historyandimsg watchcommands. - Boundary markers: The instructions do not specify any delimiters or safety markers to differentiate between system instructions and message content being processed.
- Capability inventory: The agent has the ability to execute shell commands and send messages via the
imsg sendcommand. - Sanitization: No evidence of sanitization or filtering of message content is present in the skill definition.
- [PRIVILEGE_ESCALATION]: The skill requires the user to grant 'Full Disk Access' and 'Automation' permissions to the terminal or agent environment on macOS. These permissions bypass standard sandbox protections to allow direct access to the user's private message database and control over the Messages.app.
Audit Metadata