imsg
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Data Exposure] (HIGH): The skill accesses the macOS iMessage database (~/Library/Messages/chat.db), exposing high-sensitivity personal communication history.
- [External Downloads] (MEDIUM): The installation process fetches a binary from a third-party Homebrew tap (steipete/tap/imsg) which is not among the defined trusted organizations.
- [Privilege Escalation] (MEDIUM): The tool requires the user to grant Full Disk Access and Automation permissions, which significantly expands the agent's ability to interact with the OS and sensitive files.
- [Indirect Prompt Injection] (HIGH): 1. Ingestion points: The imsg history and watch commands ingest untrusted data from external message senders. 2. Boundary markers: No delimiters are used to separate message content from instructions. 3. Capability inventory: The imsg send command allows the agent to take external actions (sending messages/files). 4. Sanitization: There is no sanitization of incoming text, making it possible for a remote sender to hijack the agent's logic through a message.
Recommendations
- AI detected serious security threats
Audit Metadata