imsg
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
imsgutility via a third-party Homebrew tap (steipete/tap/imsg). This involves downloading an executable binary from a repository that is not included in the trusted vendors list. - [COMMAND_EXECUTION]: The skill provides instructions for executing various CLI commands (
imsg chats,imsg history,imsg send) to interact with the macOS Messages application. - [DATA_EXFILTRATION]: The skill requires 'Full Disk Access' and 'Automation' permissions on macOS to read the internal iMessage database. This grants the agent access to sensitive personal communication history and the ability to view attachments.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from incoming messages.
- Ingestion points: Untrusted message content is read into the agent context via
imsg historyandimsg watchcommands. - Boundary markers: The instructions lack delimiters or warnings to prevent the agent from following instructions embedded within the retrieved messages.
- Capability inventory: The skill possesses the capability to send outgoing messages (
imsg send), which could be abused if an incoming message influences the agent's behavior. - Sanitization: There is no evidence of sanitization or filtering of message content before it is processed by the agent.
Audit Metadata