The Agent Skills Directory

Data Exposure & Exfiltration (HIGH): The skill accesses the local iMessage database at ~/Library/Messages/chat.db, which contains private communications, contact information, and file attachments. It includes a specific --export feature to write this sensitive data to an external file.
Dynamic Execution (HIGH): The skill utilizes the pytypedstream library to deserialize attributedBody binary blobs. Because these blobs are populated from incoming iMessages, a remote attacker could potentially craft a malicious message containing a payload designed to exploit the deserialization logic in the library or the skill's parser.
Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill requires the third-party Python package pytypedstream. The evolution log explicitly states that core logic was adopted from an unverified personal GitHub repository (my-other-github-account/imessage-conversation-analyzer), which increases the risk of supply chain or unvetted code vulnerabilities.
Indirect Prompt Injection (LOW): The skill processes untrusted message data from external parties, which could contain instructions intended to mislead the agent when the results are reviewed.
Ingestion points: attributedBody and text columns from ~/Library/Messages/chat.db (via scripts/decode_attributed_body.py).
Boundary markers: Uses --- context --- separators and [match] tags in stdout, and structured keys in NDJSON export.
Capability inventory: SQL execution via sqlite3, local file writing via --export, and binary deserialization via pytypedstream.
Sanitization: No evidence of input sanitization or explicit 'ignore instructions' delimiters for the extracted message content.

imessage-query