text-message
Fail
Audited by Gen Agent Trust Hub on Apr 11, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: Accesses the highly sensitive Apple Messages database located at
~/Library/Messages/chat.db. This database contains the user's entire private message history. - [COMMAND_EXECUTION]: Vulnerable to SQL injection in
scripts/read_messages.sh. The$FROM_FILTERvariable is interpolated directly into a SQL query string without sanitization, allowing an attacker to execute arbitrary SQL commands against the Messages database if the agent is tricked into using a malicious filter. - [COMMAND_EXECUTION]: Vulnerable to AppleScript injection in
scripts/send_message.sh. Message content is placed inside a double-quoted string within an AppleScript snippet. Because double quotes in the input are not escaped, a malicious payload can break out of the string and execute arbitrary AppleScript commands (e.g.,do shell script). - [DATA_EXFILTRATION]: Requests 'Full Disk Access' permissions on macOS. This is a high-privilege permission that bypasses standard sandbox protections and grants the skill access to sensitive data across the entire system, including mail, messages, and backups.
- [PROMPT_INJECTION]: Contains an indirect prompt injection surface as the skill processes untrusted text from external message senders.
- Ingestion points:
scripts/read_messages.shreads message content from the localchat.dbdatabase. - Boundary markers: None; retrieved messages are processed as raw text without delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill has the ability to send messages, read private message history, and execute shell commands via the agent's environment.
- Sanitization: No sanitization or instruction filtering is applied to the data retrieved from the database.
Recommendations
- AI detected serious security threats
Audit Metadata