imsg
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill metadata specifies a dependency on the
imsgbinary and provides installation instructions for an external Homebrew tap (steipete/tap/imsg). This source is not included in the trusted vendor list, representing an unverifiable third-party dependency. - [COMMAND_EXECUTION]: The skill's primary functionality is delivered through the execution of CLI commands like
imsg chats,imsg history, andimsg send. This requires the agent to invoke external processes with potentially sensitive arguments. - [DATA_EXFILTRATION]: The skill provides capabilities to read private message history and send content to external phone numbers or iMessage IDs. These features can be combined to exfiltrate sensitive local data to remote entities.
- [PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection by processing untrusted incoming messages. Ingestion points: Message data is ingested via
imsg historyandimsg watchcommands. Boundary markers: There are no defined boundary markers or instructions to treat message content as data rather than instructions. Capability inventory: The skill possesses theimsg sendcapability, which allows it to transmit data externally. Sanitization: The skill does not implement sanitization or filtering of the message body before it enters the agent's context.
Audit Metadata