himalaya
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses Homebrew to install the 'himalaya' formula, which is an external dependency required for functionality.
- [COMMAND_EXECUTION]: The skill performs numerous subprocess calls to the 'himalaya' binary to list, read, and manage emails. It also highlights configuration options that allow the tool to execute shell commands like 'pass' or 'security' to retrieve passwords.
- [DATA_EXFILTRATION]: The skill manages access to sensitive information, including email account credentials stored in '~/.config/himalaya/config.toml' and the private contents of a user's mailbox.
- [PROMPT_INJECTION]: The skill reads email content via 'himalaya message read', which introduces an indirect prompt injection surface.
- Ingestion points: Email bodies and headers retrieved via 'himalaya message read' and 'himalaya envelope list' as described in SKILL.md.
- Boundary markers: The skill lacks explicit instructions for the agent to use delimiters or ignore instructions found within email content.
- Capability inventory: The agent can move, copy, and delete emails, download attachments, and potentially modify configuration files that support command execution as defined in SKILL.md and references/configuration.md.
- Sanitization: No sanitization or filtering of email content is described.
Audit Metadata