Safety Report

Imsg

Name: Imsg
Rating: 5 (16 reviews)
Author: steipete

@steipete

iMessage/SMS CLI for listing chats, history, watch, and sending.

8,632Downloads

637Installs

16Stars

1Versions

CLI & Shell Tools1,805 Customer Support1,744 Notifications & Alerts1,061

Security Analysis

medium confidence

Clean0.04 risk

The skill's instructions and requirements line up with an iMessage/SMS CLI for macOS, but you should verify the third‑party Homebrew tap and be cautious granting Full Disk Access and Automation permissions.

Feb 11, 20261 files1 concern

Purpose & Capabilityok

The name/description (iMessage/SMS CLI) match the runtime instructions which call the 'imsg' CLI to list chats, history, watch, and send. Requiring Messages.app to be signed in and macOS permissions (Full Disk Access and Automation) is consistent with reading/sending Messages data.

Instruction Scopeok

SKILL.md only instructs using the 'imsg' CLI and documents expected flags and macOS permissions. It does not ask to read unrelated files, export data to external endpoints, or access unrelated credentials. It does reference local file paths for attachments (which is expected).

Install Mechanismnote

The skill is instruction-only (no code shipped), but its metadata recommends installing a Homebrew formula from the steipete/tap ('steipete/tap/imsg'). Installing from a third‑party tap is a moderate-risk install vector compared with an official Homebrew/core formula — you should review the formula/source before installing.

Credentialsok

The skill declares no environment variables, no credentials, and no config paths. The macOS permissions (Full Disk Access, Automation control of Messages.app) are sensitive but proportionate to an iMessage CLI that reads and sends Messages.

Persistence & Privilegeok

The skill is not set to always:true and does not request special platform-wide persistence. Model invocation is allowed (platform default); that is expected for a user-invocable skill and not a standalone concern here.

Guidance

This skill appears to do what it says: it's a wrapper around a macOS 'imsg' CLI. Before installing: (1) verify the Homebrew formula's source (the metadata points to the third‑party tap 'steipete/tap') — inspect the formula and its GitHub repo to ensure it's trustworthy; (2) be aware that granting Full Disk Access to your terminal and Automation permission for Messages.app allows the CLI to read your message database and attachments — only grant these to a terminal you trust or consider creating an isolated account/environment; (3) confirm recipients and review messages before sending (SKILL.md already advises this); and (4) if you need stronger assurance, prefer an official distribution or build the tool from source yourself. If you cannot review the brew tap or source, treat the install as higher risk.

Latest Release

v1.0.0

More by @steipete

Gog

672 stars

Github

267 stars

Weather

229 stars

Frontend Design

186 stars

Openai Whisper

173 stars

Nano Banana Pro

164 stars

Published by @steipete on ClawHub