email-himalaya
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill facilitates the reading and processing of untrusted data from external senders (emails), which could contain malicious instructions.
- Ingestion points: The
himalaya message readandhimalaya envelope listcommands bring external, attacker-controlled content into the agent's context. - Boundary markers: The skill does not define delimiters or specific 'ignore embedded instructions' warnings for the agent when processing email bodies.
- Capability inventory: The agent is granted the ability to send emails (
himalaya message send) and reply to them (himalaya message reply), which could be abused if the agent follows instructions found within a read email. - Sanitization: No sanitization or filtering of email content is prescribed before the agent parses or acts upon the data.
- Data Exposure (SAFE): The skill documentation mentions the location of the email configuration file (
~/.config/himalaya/config.toml). While this is a sensitive path, the skill provides instructions for the user to configure it and does not include commands for the agent to extract or exfiltrate the file content itself. - Behavioral Note (LOW): The 'Keeping Emails Unread' workflow (immediately marking read emails as unread) could be used to facilitate stealthy data access, as it hides the agent's activity from the user's 'Read' status indicators.
Audit Metadata