The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The installation section in SKILL.md directs users to pipe a remote shell script from a GitHub repository directly into the shell using curl -sSL ... | sh. This executes unverified code from an external source (pimalaya/himalaya) that is not identified as a trusted provider, posing a significant risk of arbitrary code execution.
[DATA_EXFILTRATION]: The skill's integration with MIME Meta Language (MML) for composing emails, as detailed in references/message-composition.md, creates a vector for data exfiltration. MML tags like <#part filename=...> allow for the attachment of arbitrary local files. Since the skill recommends piping content from previous commands or user-supplied templates into the himalaya template send command without sanitization, an attacker could use indirect prompt injection to trick the agent into attaching sensitive system files to an outgoing email. Evidence: Untrusted ingestion points include email bodies and user inputs; capability inventory includes file-read and network-send (SMTP); and there is an absence of boundary markers or sanitization logic.
[CREDENTIALS_UNSAFE]: The documentation in references/configuration.md includes examples of storing plain-text passwords directly in the configuration file using the backend.auth.raw setting. While labeled for testing, this encourages the exposure of sensitive credentials in a configuration file (~/.config/himalaya/config.toml) that may be accessed by other tools or users on the system.
[COMMAND_EXECUTION]: The skill facilitates downloading email attachments to arbitrary local directories and allows the configuration of external commands to retrieve passwords (backend.auth.cmd), both of which increase the potential impact if the tool's inputs are manipulated by a malicious actor.

himalaya