imsg
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
imsgbinary using Homebrew from a third-party repository (steipete/tap/imsg). This introduces a dependency on external code maintained outside of official platform or operating system channels. - [COMMAND_EXECUTION]: The skill relies on executing shell commands (
imsg chats,imsg history,imsg send) to interact with the macOS Messages.app and its underlying database. This functionality requires the terminal to be granted 'Full Disk Access' and 'Automation' permissions, which are high-privilege entitlements. - [DATA_EXPOSURE]: By design, this skill accesses highly sensitive personal information, including full chat histories and contact details stored in the iMessage
chat.db. While no exfiltration logic was detected in the skill instructions, the tool itself has read access to all private messages. - [INDIRECT_PROMPT_INJECTION]: The skill provides the ability to read incoming message history. This creates an attack surface where an external party can send a message containing malicious instructions. If the agent reads this message using
imsg history, it may inadvertently follow those instructions. - Ingestion points:
imsg history,imsg chats, andimsg watchcommands (SKILL.md). - Boundary markers: None detected; the skill does not instruct the agent to ignore instructions embedded in message content.
- Capability inventory: The skill includes
imsg sendwhich can be used to propagate messages or interact with other system tools (SKILL.md). - Sanitization: No sanitization or validation of the message content is performed before it is processed by the agent.
Audit Metadata