himalaya
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill allows an agent to ingest untrusted data from an external source (email) and act upon it with high-privilege capabilities.
- Ingestion points: Untrusted data enters the agent context through
himalaya message read [ID]andhimalaya envelope list(SKILL.md). - Boundary markers: Absent. There are no instructions to the agent to distinguish between its own system instructions and the content of the emails being read.
- Capability inventory: The skill provides commands for sending emails (
himalaya template send), deleting emails (himalaya message delete), and modifying mailbox state (himalaya message move) (SKILL.md). - Sanitization: Absent. No logic is provided to sanitize email body content before processing.
- Data Exfiltration & Exposure (HIGH): The tool is designed to access and transmit sensitive communication data.
- Exposure: The agent has full visibility into the user's mailbox, including potential sensitive documents and personal information.
- Exfiltration: A malicious prompt (direct or indirect) could instruct the agent to forward the contents of messages or local files to an attacker-controlled email address using
himalaya template sendorhimalaya message forward. - Command Execution (MEDIUM): The skill relies on executing the
himalayabinary via the shell. While the tool is a legitimate utility, the agent is granted the ability to run various subcommands that can significantly impact the user's email account state. - External Downloads (LOW): The skill metadata specifies a dependency on a external binary to be installed via
brew install himalaya. While Homebrew is a common source, the binary is not from a source in the pre-defined trusted list.
Recommendations
- AI detected serious security threats
Audit Metadata