claude-to-im
Warn
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill manages a background daemon process using platform-specific service managers to ensure persistence.
- On macOS, it creates a launchd configuration file at
~/Library/LaunchAgents/com.claude-to-im.bridge.plistto manage the lifecycle of the bridge process. - On Windows, the
supervisor-windows.ps1script provides functionality to install the daemon as a Windows Service using WinSW or NSSM. - In
src/codex-provider.ts, the skill uses aFunctionconstructor with a dynamicimportstatement to lazily load the optional@openai/codex-sdkdependency at runtime. - [EXTERNAL_DOWNLOADS]: The
scripts/doctor.shdiagnostic tool and the various platform adapters insrc/adapters/perform outbound network requests to official messaging platform APIs (including Telegram, Feishu, QQ, and DingTalk) to validate credentials and poll for incoming messages. - [PROMPT_INJECTION]: The bridge architecture creates a surface for indirect prompt injection as it retrieves untrusted data from messaging platforms and forwards it to the agent context.
- Ingestion points: Incoming messages from messaging channels enter the agent's context through the polling logic defined in
src/adapters/. - Boundary markers: There are no explicit delimiters or instructions observed in the code that would warn the model to ignore potential injection content within the IM messages.
- Capability inventory: The skill's configuration in
SKILL.mdallows the agent to use highly privileged tools includingBash,Read,Write, andEdit. - Sanitization: While the skill implements log redaction for its own credentials, raw message text from IM platforms is passed to the AI model's query interface.
Audit Metadata