himalaya
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface detected. The skill provides commands to read email content (e.g.,
himalaya message readinSKILL.md), which constitutes untrusted external data. This data could contain instructions designed to influence the agent's behavior. - Ingestion points: Reading emails via
himalaya message readandhimalaya message export. - Boundary markers: None identified in the provided instructions to delimit email content from agent instructions.
- Capability inventory: The skill can send emails, download attachments, and modify email flags, providing a feedback loop for potential attackers.
- Sanitization: No sanitization or validation of email content is mentioned before processing.
- [COMMAND_EXECUTION]: The skill relies on the execution of the
himalayaCLI tool. Additionally, the configuration reference inreferences/configuration.mddocuments thebackend.auth.cmdfeature, which allows the execution of arbitrary shell commands (e.g.,pass show email/imap) to retrieve passwords at runtime. - [CREDENTIALS_UNSAFE]: The documentation in
references/configuration.mdillustrates the use ofbackend.auth.rawfor storing passwords in plain text within the configuration file. While the provided value 'your-password' is a placeholder, this practice is noted as discouraged in the documentation itself.
Audit Metadata