himalaya
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses Homebrew (
brew install himalaya) for installation, which is a trusted and well-known source for software packages.\n- [COMMAND_EXECUTION]: The skill documents thebackend.auth.cmdfeature of the Himalaya CLI, which allows for executing local shell commands to retrieve passwords from secure stores likepassor system keyrings. This is a functional requirement for secure operation.\n- [CREDENTIALS_UNSAFE]: Documentation inreferences/configuration.mdincludes an example for storing passwords in plain text (backend.auth.raw). While the documentation notes this is not recommended, it illustrates a potentially insecure configuration practice.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads untrusted data from email messages without explicit boundary markers or sanitization.\n - Ingestion points: Email content and headers are read through
himalaya message readandhimalaya envelope list.\n - Boundary markers: None present in the instructions to the agent.\n
- Capability inventory: The agent can send, delete, and move emails, and execute local commands via the tool's configuration.\n
- Sanitization: The skill does not provide instructions for sanitizing or escaping email content before the agent processes it.
Audit Metadata