himalaya
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it allows the agent to read and process untrusted email content. • Ingestion points: The
himalaya message readandhimalaya envelope listcommands inSKILL.mdbring external email data into the agent's context. • Boundary markers: Absent; there are no instructions or delimiters defined to isolate untrusted email content from agent instructions. • Capability inventory: The skill has the capability to send emails (himalaya message write), download attachments (himalaya attachment download), and execute commands via thebackend.auth.cmdsetting inreferences/configuration.md. • Sanitization: Absent; there is no logic to filter or sanitize the content of emails before they are processed by the agent. - [COMMAND_EXECUTION]: The skill uses the
himalayaCLI, which executes commands in the system shell. Furthermore, the configuration documentation inreferences/configuration.mddescribes thebackend.auth.cmdfeature, which executes arbitrary shell commands to retrieve passwords. - [DATA_EXFILTRATION]: The skill handles sensitive information including email contents and the configuration file located at
~/.config/himalaya/config.toml, which may store credentials or authentication commands.
Audit Metadata