himalaya

🔴 HIGH Findings: • Command Execution via $EDITOR

• SKILL.md, Line 140: The skill explicitly states that himalaya message write and himalaya message reply will "open $EDITOR". This means the skill will execute the program specified by the user's $EDITOR environment variable. If $EDITOR is set to a malicious script, the skill will execute it, leading to arbitrary command execution. • Data Exfiltration via Arbitrary File Attachments
• references/message-composition.md, Line 79: The MML syntax for composing emails allows specifying filename=/path/to/document.pdf for attachments. This means the skill can be instructed to read any file from the local filesystem and attach it to an outgoing email. If a malicious prompt or user error leads to a sensitive file path being provided, this could result in data exfiltration.

🟡 MEDIUM Findings: • Insecure Credential Storage Option

• references/configuration.md, Line 22: The configuration reference documents backend.auth.raw = "your-password" as a method for password storage. Although explicitly marked as "(testing only, not recommended)", its presence as a documented option introduces a potential vector for insecure credential storage.

🔵 LOW Findings: • External Dependency on Himalaya Binary

• SKILL.md, Line 5: The skill requires the himalaya binary, which is installed via brew and sourced from https://github.com/pimalaya/himalaya. While brew is a trusted package manager and the source is a public GitHub repository, it is still an external dependency. This is noted as a low risk due to the trusted nature of the source and installation method.

ℹ️ INFO Findings: • Indirect Prompt Injection Susceptibility

• SKILL.md: The skill processes email content (reading, composing, replying). If the AI is prompted to interact with or generate content based on a malicious email, it could be susceptible to indirect prompt injection. This is an inherent risk for skills that handle untrusted external data.