imsg

Warn

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions utilize the imsg command-line utility to perform actions like chats, history, and send on the host system.
  • [EXTERNAL_DOWNLOADS]: The skill configuration automates the installation of software from a third-party Homebrew tap (steipete/tap/imsg), which is an external source outside of primary trusted registries.
  • [DATA_EXFILTRATION]: The imsg send functionality enables the agent to send content to any phone number, creating a vector for exfiltrating sensitive information. Additionally, the requirement for 'Full Disk Access' exposes the complete private iMessage database (~/Library/Messages/chat.db) to the agent.
  • [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by ingesting untrusted message content through imsg history and imsg watch. There are no boundary markers or sanitization logic defined to prevent the agent from executing instructions embedded in received messages, while the agent maintains capabilities to send data externally.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 23, 2026, 06:06 AM
Security Audit — agent-trust-hub — imsg