himalaya
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the himalaya CLI tool, which is an external dependency typically installed via package managers like Homebrew.
- [COMMAND_EXECUTION]: The skill operates by executing the himalaya binary. It supports secure password retrieval by executing local commands like pass or security as part of its configuration.
- [DATA_EXFILTRATION]: The skill is designed to read and transmit email data over IMAP and SMTP protocols to user-configured servers.
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection because it processes untrusted email content from external senders. 1. Ingestion points: Email content is read into the agent context via himalaya message read (defined in SKILL.md). 2. Boundary markers: No specific delimiters or instructions to ignore embedded commands are present in the documentation. 3. Capability inventory: The skill can send emails, download attachments to the local file system, and delete messages (defined in SKILL.md). 4. Sanitization: There is no evidence of content sanitization or filtering of the email body before it is processed by the agent.
Audit Metadata