himalaya
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents and facilitates the use of the
backend.auth.cmdconfiguration parameter in~/.config/himalaya/config.toml, which allows the execution of arbitrary shell commands (e.g.,pass show email/imap) to retrieve authentication credentials. - [DATA_EXFILTRATION]: The skill requires access to
~/.config/himalaya/config.toml, a sensitive file path that stores email account configurations and potentially credentials, as detailed inSKILL.mdandreferences/configuration.md. - [DATA_EXFILTRATION]: The skill provides capabilities to send data over the network to external SMTP servers via the
himalaya template sendandhimalaya message writecommands, which could be abused to exfiltrate information. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from external sources (emails).
- Ingestion points: The
himalaya message readandhimalaya envelope listcommands inSKILL.mdbring external email bodies and subjects directly into the agent's context. - Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the provided documentation or command examples.
- Capability inventory: The skill possesses significant capabilities, including sending emails (
himalaya template send), deleting messages (himalaya message delete), and modifying folder structures (himalaya message move). - Sanitization: There is no evidence of sanitization, filtering, or validation of email content before it is processed by the agent.
Audit Metadata