Skills
skills/insight68/skills/imsg/Gen Agent Trust Hub

imsg

Warn

Audited by Gen Agent Trust Hub on Feb 28, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill installs the imsg binary from a third-party Homebrew tap (steipete/tap/imsg). While the developer is a known figure in the Apple ecosystem, this remains a non-official external dependency.
  • [COMMAND_EXECUTION]: The skill relies on executing the imsg CLI to perform operations such as listing chats, reading history, and sending messages.
  • [DATA_EXFILTRATION]: The skill accesses highly sensitive PII (Personal Identifiable Information) by reading the user's iMessage and SMS database.
  • Requires 'Full Disk Access' to bypass macOS sandbox protections and read communication logs.
  • Exposes private attachments and conversation history to the agent's context.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the data it processes.
  • Ingestion points: Private messages read via imsg history and imsg watch enter the agent's context from untrusted external senders.
  • Boundary markers: Absent. There are no instructions or delimiters to prevent the agent from obeying commands embedded in received messages.
  • Capability inventory: The skill has the ability to send messages and files (imsg send), which could be abused if an incoming message triggers a malicious response.
  • Sanitization: None. Message content is passed to the agent without filtering or safety validation.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 28, 2026, 08:21 PM