imsg
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the 'imsg' utility from an external third-party Homebrew repository ('steipete/tap/imsg').
- [COMMAND_EXECUTION]: The skill executes the 'imsg' binary to perform actions like listing chats, reading history, and sending messages.
- [DATA_EXFILTRATION]: The skill accesses the local iMessage database to read private conversation history and attachments. This involves sensitive user data and requires high-privilege 'Full Disk Access' permissions on macOS.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it reads incoming messages from external users. Maliciously crafted messages could potentially override agent instructions if the content is not handled with strict boundaries.
- Ingestion points: Incoming message content retrieved through 'imsg history' and 'imsg watch' in 'SKILL.md'.
- Boundary markers: None; there are no specific delimiters or warnings to the agent to treat message content as untrusted.
- Capability inventory: The agent can send outgoing messages and access local file paths.
- Sanitization: No sanitization or validation is applied to the message text before it is processed by the agent.
Audit Metadata