imsg
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
imsgCLI tool to perform operations such as listing chats, viewing history, and sending messages. This relies on a pre-installed binary on the host system. - [DATA_EXFILTRATION]: The skill has the capability to read private communication data including message content, attachments, and recipient information (
imsg history,imsg chats). While the skill does not explicitly show data being sent to an external server, the access to this sensitive data combined with the agent's general network capabilities presents a data exposure risk. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It ingests untrusted data from external sources (incoming iMessage/SMS messages) via
imsg historyandimsg watch. - Ingestion points: Incoming messages read from the macOS Messages database via
SKILL.mdcommand examples. - Boundary markers: None provided in the command examples to distinguish between message content and agent instructions.
- Capability inventory: The agent can execute shell commands and send messages back to contacts.
- Sanitization: There is no evidence of sanitization or filtering of incoming message content before it is processed by the agent.
- [PRIVILEGE_ESCALATION]: The skill documentation explicitly requires 'Full Disk Access' and 'Automation' permissions on macOS. These are high-privilege permissions that allow the tool (and by extension, the agent) to bypass standard sandbox protections and access sensitive user databases and control other applications.
Audit Metadata