The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The query function in db.ts is vulnerable to shell command injection. It uses execSync to run sqlite3 and interpolates the SQL string into double quotes. Because shell metacharacters like $(...) and backticks are evaluated inside double quotes by the underlying system shell (sh/bash/zsh), an attacker-controlled search term or incoming message content could trigger arbitrary system command execution.
DATA_EXFILTRATION (HIGH): The skill accesses ~/Library/Messages/chat.db, exposing the user's entire private message history, contacts, and attachments. Per Category 2 rules, access to sensitive file paths without a network send is a HIGH severity finding. The exportConversation.ts script further allows writing this sensitive data to arbitrary local file paths, increasing the risk of exposure.
PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). It reads untrusted message content from the iMessage database and processes it without boundary markers or sanitization, allowing an external sender to potentially influence the agent's behavior.
Ingestion points: listMessages.ts, searchMessages.ts, getConversation.ts, getGroupChat.ts, getMessage.ts (all reading from chat.db).
Boundary markers: Absent in all scripts; untrusted message data is interpolated directly into prompts.
Capability inventory: Sending messages (sendMessage.ts, sendGroupMessage.ts), sending files (sendAttachment.ts), creating group chats with GUI automation (createGroupChat.ts), and writing to local files (exportConversation.ts).
Sanitization: No sanitization or safety-filtering is performed on ingested text before it is presented to the AI agent.

imessage