himalaya
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on executing the
himalayaCLI for all operations, including account setup and email management. - [DATA_EXFILTRATION]: The skill manages sensitive email data and credentials. It documents how to store passwords in
~/.config/himalaya/config.toml, including a discouraged example of plain-text storage (backend.auth.raw). - [EXTERNAL_DOWNLOADS]: The skill metadata includes instructions to download and install the
himalayabinary using the Homebrew package manager. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it processes untrusted content from the internet (emails).
- Ingestion points: Untrusted data enters the agent context through
himalaya envelope listandhimalaya message readas seen inSKILL.md. - Boundary markers: The instructions do not define delimiters or provide warnings to the agent to disregard instructions embedded within email bodies.
- Capability inventory: The skill provides the agent with powerful capabilities, including sending emails (
himalaya message write), deleting messages (himalaya message delete), and downloading attachments to the local filesystem (himalaya attachment download) (documented inSKILL.md). - Sanitization: There is no evidence of sanitization or validation of the email content before it is passed to the agent's context.
Audit Metadata