himalaya
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's metadata and documentation specify the installation of the
himalayabinary through the Homebrew package manager (brew). - [COMMAND_EXECUTION]: The skill heavily utilizes the
himalayaCLI for all operations. It specifically supports abackend.auth.cmdconfiguration that executes shell commands (e.g.,passorsecurity) to retrieve sensitive credentials from local password managers. - [DATA_EXFILTRATION]: By design, the skill accesses and potentially transmits sensitive email data including message bodies, headers, and attachments across the network to IMAP/SMTP servers. It also provides functionality to download attachments to the local filesystem.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection via incoming email content.
- Ingestion points: Untrusted data enters the agent's context through commands like
himalaya message readandhimalaya envelope listwhich fetch external email content. - Boundary markers: The skill provides no delimiters or instructions to the agent to help it distinguish between its system guidelines and instructions potentially embedded in email text.
- Capability inventory: The agent possesses powerful capabilities including sending emails, deleting messages, and managing account configurations via the CLI tool.
- Sanitization: No sanitization or validation of the fetched email content is performed before it is processed by the AI agent.
Audit Metadata