imsg
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill installs the 'imsg' binary from a third-party Homebrew tap ('steipete/tap/imsg'). Because this source is not part of the trusted organization list, the security and integrity of the executable cannot be automatically verified.
- COMMAND_EXECUTION (MEDIUM): The skill executes shell commands to read and write to the system's iMessage database. These operations require granting the terminal 'Full Disk Access' and 'Automation' permissions, which significantly expands the attack surface if the agent is misused.
- DATA_EXFILTRATION (MEDIUM): The skill provides the ability to read private iMessage and SMS history. While no explicit external network send command is present in the skill itself, granting an AI agent the ability to read personal messages creates a high risk of sensitive data exposure or exfiltration to other tools the agent may have access to.
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection. It processes untrusted data from incoming messages which could contain malicious instructions intended to hijack the agent's behavior.
- Ingestion points: iMessage/SMS content via 'imsg history' and 'imsg watch'.
- Boundary markers: Absent; messages are retrieved and processed without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill can send messages ('imsg send') and potentially interact with other agent-enabled tools.
- Sanitization: No sanitization or filtering of message content is performed before the data is provided to the agent.
Audit Metadata