himalaya
Pass
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
himalayacommand-line interface to perform email operations such as listing envelopes, reading message bodies, and sending emails. - [EXTERNAL_DOWNLOADS]: The skill instructions provide a method to install the required
himalayabinary using the Homebrew package manager. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it facilitates the ingestion of untrusted external content from email messages.
- Ingestion points: Untrusted data enters the agent's context through the
himalaya message readandhimalaya envelope listcommands inSKILL.md. - Boundary markers: The instructions lack specific delimiters or instructions to prevent the agent from interpreting and following commands embedded within the email text.
- Capability inventory: The agent possesses capabilities that could be abused if compromised, including local file system access (for downloading attachments), shell command execution (via
himalaya), and network operations (via Python'ssmtplib). - Sanitization: There is no evidence of sanitization, filtering, or validation performed on the email content before it is processed by the agent.
Audit Metadata