bluebubbles
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): Vulnerable to instructions embedded in incoming iMessages. Ingestion points: Incoming messages and conversation history handled by the generic message tool. Boundary markers: None specified in the instructions to prevent the agent from obeying instructions within messages. Capability inventory: send, react, edit, unsend, reply, sendAttachment (file read), sendWithEffect. Sanitization: No evidence of filtering or sanitizing message content before processing.
- [Data Exfiltration] (HIGH): The 'sendAttachment' action permits specifying a local file 'path'. This allows an attacker to trick the agent into exfiltrating sensitive system files (e.g., credentials, SSH keys) by sending them as attachments to a remote recipient.
- [Command Execution] (LOW): While no direct shell commands are present, the skill relies on an underlying messaging tool to execute actions, representing an indirect execution path.
Recommendations
- AI detected serious security threats
Audit Metadata