The Agent Skills Directory

Unverifiable Dependencies & Remote Code Execution (HIGH): The skill clones source code from an untrusted repository (https://github.com/letta-ai/imsg.git) and executes a build process (swift build) followed by binary execution. Since the source is not a trusted organization, this is high risk. \n- Data Exposure & Exfiltration (HIGH): The skill requests 'Full Disk Access' to read the sensitive Messages SQLite database (~/Library/Messages/chat.db), which contains the user's entire conversation history. Accessing this sensitive file path without a trusted source is a major security concern. \n- Privilege Escalation (HIGH): Instructions require the user to grant 'Full Disk Access' and 'Automation' permissions, granting the agent extensive access to private communications and the ability to control other applications. \n- Indirect Prompt Injection (LOW): The skill creates a vulnerability surface by reading untrusted data from incoming messages. \n
Ingestion points: Incoming iMessage/SMS content via imsg history and imsg watch. \n
Boundary markers: None present in the provided instructions. \n
Capability inventory: The agent can send messages and interact with the macOS system. \n
Sanitization: No sanitization or validation of message content is mentioned. \n- Dynamic Execution (MEDIUM): The setup process involves runtime compilation of source code downloaded from a remote repository.

imessage