himalaya
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The Himalaya configuration supports the
backend.auth.cmdparameter, which allows the tool to execute shell commands (e.g.,passorsecurity) to retrieve passwords from external storage. While this involves command execution, it is a documented feature for improving security. - [DATA_EXFILTRATION]: The skill interacts with sensitive local resources, specifically the email configuration file at
~/.config/himalaya/config.tomland local mail stores. These files may contain authentication details or private communication. - [PROMPT_INJECTION]: As an email client, the skill exposes the agent to indirect prompt injection via incoming emails. This is a standard risk for tools processing untrusted external content.
- Ingestion points:
himalaya message read,himalaya envelope list(SKILL.md) - Boundary markers: None identified in the provided instructions.
- Capability inventory: Command execution via configuration (
auth.cmd), network access (IMAP/SMTP), and file system access for configuration and attachments. - Sanitization: No explicit content sanitization or instruction-ignoring markers are defined for the email body text.
- [CREDENTIALS_UNSAFE]: The documentation includes placeholders for passwords (e.g.,
backend.auth.raw = "your-password"). These are standard examples and do not constitute actual credential exposure.
Audit Metadata