himalaya
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is designed to read and list emails from external sources, which constitutes a significant attack surface for indirect prompt injection.
- Ingestion points:
himalaya message read,himalaya envelope list. - Boundary markers: None specified; the agent receives raw email content without delimiters or instructions to ignore embedded commands.
- Capability inventory: The agent can send emails (
himalaya template send), delete messages/folders, and read arbitrary files via attachments. - Sanitization: No evidence of sanitization or filtering of email bodies before processing.
- Data Exfiltration (LOW): The skill demonstrates the use of MML syntax (
<#part filename=/path/to/file.pdf>) to attach local files to outgoing emails. - Risk: An attacker could use indirect prompt injection to trick the agent into attaching sensitive local files (e.g., SSH keys, configuration files) and sending them to an external address.
- Mitigation: The severity is lowered to LOW because this is a core functionality of the intended email management tool, though it remains a significant capability risk.
- Command Execution (SAFE): The skill documentation uses standard CLI patterns for the
himalayatool. While it interacts with the system shell, it does not download untrusted binaries or execute arbitrary strings from the network directly.
Audit Metadata