himalaya
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The himalaya CLI tool supports executing arbitrary shell commands specified in the configuration file (e.g., backend.auth.cmd) to retrieve passwords from external sources.
- [DATA_EXFILTRATION]: The skill interacts with external IMAP and SMTP servers to read and send email data, which is its primary purpose but involves the transmission of sensitive personal information.
- [PROMPT_INJECTION]: An indirect prompt injection surface exists because the agent reads untrusted content from external emails using commands like himalaya message read. 1. Ingestion points: Email content and headers retrieved from remote servers. 2. Boundary markers: No specific delimiters or instructions to ignore embedded commands are provided. 3. Capability inventory: Execution of CLI commands, shell command execution via config, and file system access for attachments and configuration. 4. Sanitization: No sanitization or filtering of email content is described in the skill.
Audit Metadata