imessage
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill provides the agent with the ability to read private communication history, including message content and attachments, through commands like
imsg historyandimsg watch. This creates a high-sensitivity data exposure risk if the agent's output is not strictly monitored. - [COMMAND_EXECUTION]: The skill's primary functionality is built upon the execution of the
imsgcommand-line utility to interact with the macOS Messages.app database. - [EXTERNAL_DOWNLOADS]: The instructions direct the user to install an external dependency from a third-party Homebrew tap (
steipete/tap/imsg). This introduces a supply-chain risk as the tool is not from an official OS vendor or a recognized trusted organization. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external incoming messages.
- Ingestion points:
imsg historyandimsg watchcommands. - Boundary markers: The instructions do not define delimiters or specific 'ignore instructions' warnings for message content.
- Capability inventory: The agent can execute system commands (
imsg), read local files (via attachments), and send external messages (imsg send). - Sanitization: No sanitization or validation of the message content is specified before processing.
Audit Metadata