imsg
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the imsg CLI tool from a Homebrew tap (steipete/tap/imsg) belonging to the skill author. While this is a vendor-owned resource, it involves downloading and installing a third-party binary on the host system.- [COMMAND_EXECUTION]: The skill uses the imsg binary to execute shell commands that interact with the macOS Messages application, allowing the agent to list chats, view history, and send new messages.- [DATA_EXFILTRATION]: The skill provides the agent with access to highly sensitive user communication data by reading the iMessage/SMS database. This requires granting Full Disk Access to the terminal. Although the skill does not explicitly exfiltrate this data over the network, the exposure of private messaging history to the agent context is a high-impact privacy event.- [PROMPT_INJECTION]: The skill provides an indirect prompt injection surface through its message-reading capabilities.
- Ingestion points: Messages are ingested via the imsg history and imsg watch commands (SKILL.md).
- Boundary markers: There are no boundary markers or instructions to the agent to disregard commands embedded within the retrieved messages.
- Capability inventory: The agent has the ability to send messages (imsg send) and execute shell commands (SKILL.md).
- Sanitization: No sanitization or filtering is performed on the content of messages before they are processed by the agent. This allows a remote attacker to potentially influence the agent's behavior by sending a crafted message.
Audit Metadata