The Agent Skills Directory

[Data Exposure & Exfiltration] (HIGH): The skill targets ~/Library/Messages/chat.db, a highly sensitive database containing the user's entire message history. Accessing this requires Full Disk Access (FDA), which bypasses standard macOS sandbox protections and exposes all user data to the agent.
[Indirect Prompt Injection] (HIGH): The skill implements a monitoring daemon pattern in references/monitoring-daemons.md that reads incoming messages. This constitutes untrusted external input. Because the skill possesses high-privilege capabilities (shell execution and message sending), an attacker could send a message that the agent interprets as a command. Evidence Chain: (1) Ingestion: ~/Library/Messages/chat.db via sqlite3. (2) Boundaries: Absent. (3) Capabilities: doShellScript (Bash), Messages.send, and UI scripting via System Events. (4) Sanitization: Absent.
[Persistence Mechanisms] (HIGH): The file references/monitoring-daemons.md provides instructions and logic for creating LaunchAgents (~/Library/LaunchAgents/com.user.messagebot.plist). This allows malicious or unintended logic to persist across user sessions and run automatically in the background.
[Privilege Escalation] (HIGH): The skill explicitly guides the user to grant Full Disk Access and Accessibility permissions. While functional requirements, these permissions grant the agent nearly unrestricted control over the user's files and user interface, significantly increasing the impact of any exploit.
[Command Execution] (MEDIUM): The skill makes extensive use of doShellScript in JXA to execute SQL queries and manage state files. This provides a direct execution vector if incoming message content is interpolated into shell commands without rigorous escaping.

automating-messages