himalaya
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill operates by executing the himalaya CLI tool. Additionally, the configuration schema supports the backend.auth.cmd field, which executes user-defined shell commands (such as pass or security) to retrieve credentials.
- [DATA_EXFILTRATION]: The skill's primary function is to access and manage sensitive email data, including reading message content and downloading attachments from remote servers.
- [CREDENTIALS_UNSAFE]: The documentation provides examples of storing passwords in plain text within the config.toml file via the backend.auth.raw field. While marked as not recommended, this presents a risk of credential exposure if implemented.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. 1. Ingestion points: Untrusted data enters the agent context through email headers and bodies retrieved via himalaya envelope list and himalaya message read. 2. Boundary markers: The instructions lack explicit delimiters or warnings to ignore instructions embedded within the processed email content. 3. Capability inventory: The agent has the ability to send emails, delete messages, and download attachments. 4. Sanitization: There is no evidence of sanitization or filtering of the incoming email data before it is presented to the agent.
Audit Metadata