Is imsg safe?

https://clawhub.ai/steipete/imsg

72
CAUTION

The imsg skill is a cleanly structured, transparent iMessage/SMS CLI wrapper with no malicious code, hidden payloads, or prompt injection. However, its core functionality grants an AI agent extremely sensitive capabilities — unrestricted access to read all message history and send messages/files to arbitrary recipients — making it a high-value target for cross-skill attacks and social engineering. The skill itself is well-intentioned but the capabilities it exposes carry inherent risk.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (8)

HIGH Unrestricted message send capability -30

The imsg send command allows the agent to send messages and files to arbitrary phone numbers. There is no programmatic enforcement of user confirmation — only an advisory note in SKILL.md. A compromised or manipulated agent could send messages impersonating the user.

HIGH Full iMessage/SMS history access enables data exfiltration -30

The skill grants the agent unrestricted access to the user's entire iMessage and SMS history, including attachments. This data could be exfiltrated via the send command (forwarding messages to an attacker's number) or through other skills with network access.

MEDIUM File attachment send enables arbitrary file exfiltration -15

The --file flag on imsg send can transmit any file the agent can access to any phone number, creating a powerful data exfiltration channel that bypasses network monitoring (data leaves via iMessage, not HTTP).

MEDIUM Real-time chat surveillance via watch command -20

The imsg watch command enables persistent real-time monitoring of a chat conversation, which could be abused for surveillance without the user's active awareness.

MEDIUM Cross-skill attack amplification risk -20

In a multi-skill environment, a malicious skill could instruct the agent to use imsg to read sensitive conversations or send messages, turning this benign skill into an attack vector.

LOW Third-party Homebrew tap installation -10

The skill's install metadata references a third-party Homebrew tap (steipete/tap/imsg). While transparently declared, brew formula installation executes arbitrary Ruby code from the tap repository.

INFO Skill requires elevated macOS permissions -15

The skill requires Full Disk Access and Automation permissions for the terminal, which are powerful system-level entitlements. These are legitimate requirements for the stated functionality but expand the attack surface.

INFO Platform reads sensitive files during initialization -15

The openclaw gateway process reads .env, .aws/credentials, and other config files during skill installation. This is platform behavior, not skill-initiated, but worth noting.