The Agent Skills Directory

[DATA_EXFILTRATION]: The skill accesses the local iMessage database located at ~/Library/Messages/chat.db. This file contains the user's entire private communication history. Accessing this sensitive file path poses a high risk of data exposure. While no direct network exfiltration to an untrusted domain was found, the capability to read this data combined with the skill's ability to send messages/files creates a potential path for data leakage if the agent is compromised or misused.
[COMMAND_EXECUTION]: The skill executes system commands via osascript to control the macOS Messages application and sqlite3 to query the internal message database. This level of system interaction is necessary for the skill's primary function but grants the agent significant control over the local messaging environment.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It ingests untrusted data from external sources (message history from other participants) and lacks sanitization or boundary markers.
Ingestion points: scripts/history.sh reads incoming message text and metadata from the SQLite database.
Boundary markers: Absent. The script does not wrap retrieved messages in delimiters or provide instructions to the agent to ignore embedded commands.
Capability inventory: The skill possesses powerful capabilities including send.applescript (sending messages and files) and history.sh (reading the file system).
Sanitization: There is no escaping or filtering of external message content before it is presented to the agent, allowing an attacker to potentially influence agent behavior by sending specifically crafted messages to the user.
[DYNAMIC_EXECUTION]: The scripts/history.sh file uses a Python one-liner (python3 -c "...") to process and decode binary data from the iMessage database. While the Python code is statically defined within the shell script, this pattern of runtime script execution is used to handle complex data structures locally.

macos-imessage