imsg
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions and metadata specify the installation of the
imsgutility from a third-party Homebrew tap (steipete/tap/imsg).\n- [COMMAND_EXECUTION]: The skill uses shell commands to invoke theimsgCLI, which requires Full Disk Access and Automation permissions to read local message databases and control the Messages app.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes message content from external senders, which could contain malicious instructions designed to manipulate agent behavior.\n - Ingestion points: The
imsg chats,imsg history, andimsg watchcommands ingest untrusted text and attachment metadata from the local Messages database into the agent's context (SKILL.md).\n - Boundary markers: The skill does not implement or recommend the use of delimiters or 'ignore' instructions to separate untrusted message data from the system prompt.\n
- Capability inventory: The skill provides capabilities to execute shell commands (
imsg) and read/send files via attachments.\n - Sanitization: No sanitization, filtering, or validation of the message content is performed before the data is presented to the agent.
Audit Metadata