registry  /  imsg-mcp  /  1.3.1

imsg-mcp@1.3.1

MCP server, CLI, and TUI for reading and sending iMessage / SMS on macOS — lets AI agents text humans, fetch conversation history, and stream-export entire chats. Includes a self-healing watchdog and an optional Rust acceleration module.

AI Security Review

scanned 11h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `imsg setup --write claude|cursor` or starts the MCP/CLI and calls message tools.
Impact
A user-approved agent host may gain this package's local message-reading and message-sending capability; no hidden exfiltration or install-time takeover was confirmed.
Mechanism
Explicit MCP host configuration plus local iMessage database access and AppleScript sending.
Rationale
No concrete malicious behavior, stealth persistence, install-time control-surface mutation, or exfiltration was found. The explicit agent-config setup and high-impact local messaging capability warrant a warning under the stated policy.
Evidence
package.jsondist/cli.jsdist/setup-B2HejfMT.jsdist/index.jsdist/shutdown-CikCSZru.jsnative/index.js~/Library/Application Support/Claude/claude_desktop_config.json~/.cursor/mcp.json~/Library/Messages/chat.db~/Library/Application Support/AddressBook/AddressBook-v22.abcddb~/.imsg-mcp/analytics-cache.db

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/setup-B2HejfMT.js` writes Claude or Cursor MCP configuration files.
  • `dist/cli.js` exposes that mutation through explicit `setup --write claude|cursor`.
  • `dist/index.js` reads local iMessage data and invokes message-send helpers.
  • `dist/shutdown-CikCSZru.js` runs `osascript` to send through Messages.app.
  • `native/index.js` loads a shipped native binding and invokes `ldd --version` only for Linux libc detection.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook.
  • `prepare` and `prepublishOnly` are build/verification scripts, not agent-config mutation.
  • No outbound networking APIs were found in packaged JavaScript.
  • Agent config writes are limited to a named MCP entry and create a `.bak` backup.
  • The local child process in `dist/cli.js` restarts the package's own MCP mode.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 13 file(s), 483 KB of source, external domains: github.com, json-schema.org, www.nerdfonts.com

Source & flagged code

6 flagged · loading source
native/index.jsView file
55try { L56: return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl') L57: } catch (e) {
High
Child Process

Package source references child process execution.

native/index.jsView on unpkg · L55
5L6: const { readFileSync } = require('node:fs') L7: let nativeBinding = null
Medium
Dynamic Require

Package source references dynamic require/import behavior.

native/index.jsView on unpkg · L5
dist/shutdown-CikCSZru.jsView file
3import Database from "better-sqlite3"; L4: import { execFile } from "node:child_process"; L5: import { randomUUID, randomBytes, createHash } from "node:crypto"; ... L10: if (value.startsWith("~/") || value === "~") { L11: return join(homedir(), value.slice(2)); L12: } ... L15: function getEnv() { L16: return process.env.VITE_ENV ?? "development"; L17: } ... L162: mem_mb: heapMB(), L163: data: data != null ? typeof data === "object" ? data : { value: data } : void 0 L164: };
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/shutdown-CikCSZru.jsView on unpkg · L3
dist/cli.jsView file
matchType = previous_version_dangerous_delta matchedPackage = imsg-mcp@1.3.0 matchedIdentity = npm:aW1zZy1tY3A:1.3.0 similarity = 0.846 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli.jsView on unpkg
6Cross-file remote execution chain: dist/cli.js spawns dist/index.js; helper contains network access plus dynamic code execution. L6: import { c as checkLocalAccess, f as formatAccessReport, q as installShutdownHandlers, r as registerCleanup, E as looksLikeThreadSlug } from "./shutdown-CikCSZru.js"; L7: import { spawn } from "node:child_process"; L8: import { join, dirname } from "node:path"; ... L13: class LocalMcpClient { L14: constructor(onStderr) { L15: this.onStderr = onStderr; ... L20: this.proc = spawn(process.execPath, [entry, "mcp"], { L21: cwd: process.cwd(), L22: stdio: ["pipe", "pipe", "pipe"] ... L24: this.proc.stderr.on("data", (chunk) => { L25: this.onStderr?.(chunk.toString("utf8")); L26: });
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/cli.jsView on unpkg · L6
native/imsg-native.darwin-arm64.nodeView file
path = native/imsg-native.darwin-arm64.node kind = native_binary sizeBytes = 2293632 magicHex = [redacted]
Medium
Ships Native Binary

Package ships native binary artifacts.

native/imsg-native.darwin-arm64.nodeView on unpkg

Findings

1 Critical3 High4 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/cli.js
HighChild Processnative/index.js
HighShell
HighCross File Remote Execution Contextdist/cli.js
MediumDynamic Requirenative/index.js
MediumEnvironment Vars
MediumShips Native Binarynative/imsg-native.darwin-arm64.node
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptodist/shutdown-CikCSZru.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings