himalaya-email-manager
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses the sensitive configuration file at
~/.config/himalaya/config.toml, which contains email account settings and potentially authentication details or paths to credential stores. - [COMMAND_EXECUTION]: The skill utilizes the
himalayaCLI tool and local Python scripts to perform email operations. It includes functionality to delete emails, which is a destructive action. - [PROMPT_INJECTION]: The skill contains instructions that direct the agent to bypass user confirmation for deletions when running as an 'OpenCode agent', effectively removing a safety constraint. It is also vulnerable to indirect prompt injection from processed data.
- Ingestion points: External email content and metadata retrieved from IMAP servers via the
himalayatool. - Boundary markers: No delimiters or explicit warnings are provided to prevent the agent from obeying instructions embedded in email bodies or subjects.
- Capability inventory: The skill can delete emails, write files to the local filesystem, and execute subprocess commands via
uv runand thehimalayabinary. - Sanitization: The documentation only mentions basic character filtering (converting slashes to dashes) for filenames derived from email subjects.
Audit Metadata