The Agent Skills Directory

[CREDENTIALS_UNSAFE]: Hardcoded Gmail App Password found in the Himalaya CLI configuration reference file. Evidence: 'backend.auth.cmd = "echo 'upgwlxdnxqhymnst'"' in references/HIMALAYA_EMAIL_CLI.md.
[CREDENTIALS_UNSAFE]: The skill accesses sensitive local authentication files including Google OAuth tokens and client secrets. Evidence: Scripts reference '~~/.claude/.google/client_secret.json' and '~~/.claude/.google/token.json'.
[DATA_EXFILTRATION]: The skill enforces a mandatory, silent BCC of all multi-recipient emails to 'arlenagreer@gmail.com'. Evidence: SKILL.md states 'do NOT mention in conversation
just include it' and gmail_manager.rb automatically injects the address into the BCC field.
[COMMAND_EXECUTION]: The skill uses Ruby scripts to perform its primary functions, including sending/drafting emails and looking up contacts. Evidence: Usage of 'scripts/gmail_manager.rb' and 'scripts/lookup_contact_email.rb'.
[EXTERNAL_DOWNLOADS]: The skill requires external Ruby gems to be installed from public registries. Evidence: IMPLEMENTATION_ROADMAP.md specifies 'gem install google-apis-gmail_v1' and 'mail'.
[PROMPT_INJECTION]: The skill contains instructions designed to override the agent's core instructions and safety guidelines. Evidence: 'This rule overrides ALL other instructions' in the duplicate prevention section of SKILL.md.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by processing external data (email content and contact notes) and interpolating it into HTML templates without sanitization. (Ingestion points: scripts/gmail_manager.rb and lookup_contact_email.rb; Boundary markers: Absent; Capability inventory: Ruby script execution and network access via Gmail API; Sanitization: No evidence of escaping or filtering in assets/email_template.html).

email