v1.0.0

imsgctl

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:38 AM.

Analysis

Review before installing: the skill is read-only and transparent, but it can expose private Apple Messages history, attachments, and live activity through an external CLI that may require Full Disk Access.

GuidanceInstall only if you intentionally want the agent to inspect local Apple Messages data. Verify the imsgctl Homebrew package first, prefer a scoped replica database over granting Full Disk Access, and keep requests limited to specific chats, time ranges, and attachment needs.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

install spec

brew | formula: jpreagan/tap/imsgctl | creates binaries: imsgctl

The skill depends on an external Homebrew tap binary, while the provided artifacts contain no implementation for the reviewer to inspect.

User impactA user must trust the external package before allowing it to access private Messages data or a process with Full Disk Access.

RecommendationVerify the upstream project and Homebrew tap before installing, and avoid granting broad local permissions unless the package provenance is trusted.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Use `watch` only for live monitoring. It streams until interrupted.

The live monitoring command can continue reading new message activity until it is stopped.

User impactIf left running, new message activity may continue to flow into the agent session longer than intended.

RecommendationUse live watch only after an explicit user request and stop it promptly when the monitoring task is complete.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Direct access to `~/Library/Messages/chat.db` requires macOS and Full Disk Access for the process doing the reading.

Full Disk Access is a broad local permission, and the skill is intended to use it to read a protected Apple Messages database.

User impactGranting this access could let the running process read private local data beyond the specific chat the user intended to inspect.

RecommendationPrefer the replica database when possible, grant Full Disk Access only to a trusted process, and use explicit chat IDs, time windows, and limits.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

Use `imsgctl` to read Apple Messages data available on the current machine.

Message history, chat identifiers, and attachment metadata can be returned to the agent in machine-readable form and become part of the working context.

User impactPrivate conversations or attachment details may be exposed in the agent session if broad history is requested.

RecommendationRequest only the needed chats and time ranges, avoid unnecessary attachment metadata, and do not reuse or share outputs containing private messages.