imsg
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions utilize the
imsgcommand-line utility to perform actions likechats,history, andsendon the host system. - [EXTERNAL_DOWNLOADS]: The skill configuration automates the installation of software from a third-party Homebrew tap (
steipete/tap/imsg), which is an external source outside of primary trusted registries. - [DATA_EXFILTRATION]: The
imsg sendfunctionality enables the agent to send content to any phone number, creating a vector for exfiltrating sensitive information. Additionally, the requirement for 'Full Disk Access' exposes the complete private iMessage database (~/Library/Messages/chat.db) to the agent. - [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting untrusted message content through
imsg historyandimsg watch. There are no boundary markers or sanitization logic defined to prevent the agent from executing instructions embedded in received messages, while the agent maintains capabilities to send data externally.
Audit Metadata