iMessage & Signal Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it works by reading very private message and contact data.

Install only if you are comfortable letting an agent read and summarize private chat history. Use a specific contact and limit where possible, avoid granting broad Full Disk Access unless needed, protect Signal export files, and revoke Full Disk Access or unlink signal-cli when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill clearly instructs reading highly sensitive local data sources such as the iMessage chat database and Signal exports, yet no explicit permissions are declared. That mismatch creates a consent and transparency failure: an agent could invoke data-access behavior without a clear, user-visible declaration that private files and message history will be read.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The documented AddressBook lookup expands the data collection surface beyond message analysis into contact-database access, which is a separate category of personal information. This is dangerous because it encourages retrieval of additional private data not strictly necessary for the core task, increasing privacy exposure and the chance of over-collection.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The invocation description is broad enough to match ordinary requests about reading messages or evaluating relationships, which can cause the skill to trigger in situations where the user did not intend local private chat data to be accessed. In the context of a skill that targets sensitive communications, overbroad activation materially increases the risk of unintended privacy-invasive behavior.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill quickly moves into instructions for accessing iMessage databases, Full Disk Access, and Signal exports without first presenting a clear privacy warning about the sensitivity of message history and contact metadata. Because the data involved is intimate and comprehensive, failing to warn and obtain informed consent significantly raises the risk of users exposing highly personal conversations without understanding the implications.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script accesses highly sensitive local message history and prints contact identifiers and message content directly to stdout with no explicit consent flow, minimization, or privacy warning. In agent or shared-terminal contexts, this can expose private communications to logs, transcripts, other users, or downstream tooling beyond what the user expected.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The Signal export JSON contains private conversation data, and the script loads and analyzes it without warning the user that sensitive content may be displayed or exposed in command history, terminal scrollback, agent traces, or logs. Because exported chat archives are especially sensitive and often contain multiple conversations, this increases the risk of unintended disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal