Imessage Skill

This skill largely does what it says: it controls macOS Messages and offers a documented remote-control feature. However: - The remote-control feature (receiving commands via iMessage and executing them) is the main risk. It is default-disabled — keep it disabled unless you explicitly need it. - Before enabling remote control, manually review the full scripts/main.py to confirm how control commands are executed. Pay attention to any use of subprocess, os.system, exec/eval, or direct shell execution: these can be abused if whitelist/blacklist logic is bypassable. - Limit admin_contacts to a very small, trusted set (ideally your own number) and test allowed_commands/blocked_commands carefully. Prefer a minimal allowed_commands list. - Keep require_confirmation=true for sending to non-trusted contacts and do not add broad patterns to trusted_contacts. - Inspect security.log and control.log after running; consider moving logs to a location you control and reviewing entries regularly. - Because part of the shipped main.py is truncated in the provided package, treat the package as partially unverifiable until you can obtain and audit the complete source from a trustworthy origin (e.g., an official repo). If you cannot audit the full code, avoid enabling remote control and avoid running the skill with elevated privileges. If you want, I can scan the remaining parts of scripts/main.py (or search the file for subprocess/exec/osascript usage) to point out exact places to review.