imessage — agentic threat model
The iMessage plugin presents a high-risk profile due to its direct access to the macOS chat.db and its ability to send messages via AppleScript under the user's identity. While it includes basic access controls, any compromise could lead to severe local data exfiltration and unauthorized communication.
OWASP AIVSS score rationale
| Autonomy of Action | 0.70 | |
| Goal-Driven Planning | 0.20 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.80 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.30 | |
| Opacity & Reflexivity | 0.20 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The foundation model is not specified; however, adversarial inputs to the host LLM could be leveraged to craft malicious AppleScript payloads or unauthorized database queries.
Directly reads the macOS chat.db database. This exposes the user's entire local iMessage chat history to the agent, creating a massive data exfiltration and privacy risk if the agent is compromised or misaligned.
Uses AppleScript as an execution tool to send messages. This introduces risks of tool misuse, where an attacker could manipulate the agent into sending unauthorized messages, spam, or phishing links using the host's legitimate identity.
Runs locally on macOS, requiring Full Disk Access (to read chat.db) and Automation permissions (to control Messages via AppleScript). A compromise at this layer could lead to local privilege escalation or broader host compromise.
Not certain from the listing — There is no mention of logging, auditing, or guardrails to monitor the SQL queries executed against chat.db or the AppleScript commands dispatched to the system.
Features a built-in access control mechanism managed via the /imessage:access policy command. While this provides a layer of authorization, the policy enforcement engine itself must be secured against prompt injection or bypass.
Not certain from the listing — While it is a bundled plugin, the listing does not detail how it interacts with other agents or whether other agents in the ecosystem can transitively call its high-privilege messaging capabilities.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).