himalaya
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The documentation in
references/configuration.mdprovides examples for storing passwords in plain text using thebackend.auth.rawfield. While marked as not recommended, this encourages an insecure practice that can lead to credential exposure if the configuration file is accessed. - [COMMAND_EXECUTION]: The tool supports executing local commands to retrieve passwords (e.g.,
backend.auth.cmd = "pass show email/imap"). If an attacker gains the ability to modify theconfig.tomlfile, they could achieve arbitrary command execution on the host system. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from external sources.
- Ingestion points: The
himalaya message readandhimalaya envelope listcommands pull content directly from external IMAP servers. - Boundary markers: There are no defined boundary markers or instructions provided to the agent to treat email content as untrusted data.
- Capability inventory: The skill possesses capabilities to send emails, delete messages, and execute commands defined in its configuration.
- Sanitization: The skill does not implement or recommend any sanitization or filtering of the email body content before it is processed by the agent.
Audit Metadata