macos-imessage
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses the local iMessage database located at
~/Library/Messages/chat.dbto retrieve message history.\n - This file contains private communication data, including the content of all iMessages and SMS messages synced to the Mac.\n
- While this is the primary purpose of the skill, it represents a significant exposure of private user data to the AI agent.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from external sources.\n
- Ingestion points: Message history is read from the local database in
scripts/history.sh.\n - Boundary markers: The skill does not implement delimiters or safety instructions to distinguish between system commands and message content.\n
- Capability inventory: The agent has the ability to send messages and attachments via
scripts/send.applescriptand list account details.\n - Sanitization: There is no validation or sanitization of the message text retrieved from the database, allowing embedded instructions to potentially reach the LLM.\n- [COMMAND_EXECUTION]: The skill relies on executing system commands and scripts to interact with macOS internals.\n
- It requires the user to manually grant Full Disk Access and Automation permissions, which are high-privilege security settings.\n
- It executes
sqlite3to query system databases andosascriptto perform actions in the Messages application.\n scripts/history.shusespython3 -cto execute an inline Python script for processing data, which is a form of dynamic execution.
Audit Metadata