himalaya-email-manager

Warn

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses the sensitive configuration file at ~/.config/himalaya/config.toml, which contains email account settings and potentially authentication details or paths to credential stores.
  • [COMMAND_EXECUTION]: The skill utilizes the himalaya CLI tool and local Python scripts to perform email operations. It includes functionality to delete emails, which is a destructive action.
  • [PROMPT_INJECTION]: The skill contains instructions that direct the agent to bypass user confirmation for deletions when running as an 'OpenCode agent', effectively removing a safety constraint. It is also vulnerable to indirect prompt injection from processed data.
  • Ingestion points: External email content and metadata retrieved from IMAP servers via the himalaya tool.
  • Boundary markers: No delimiters or explicit warnings are provided to prevent the agent from obeying instructions embedded in email bodies or subjects.
  • Capability inventory: The skill can delete emails, write files to the local filesystem, and execute subprocess commands via uv run and the himalaya binary.
  • Sanitization: The documentation only mentions basic character filtering (converting slashes to dashes) for filenames derived from email subjects.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 23, 2026, 12:33 PM
Security Audit — agent-trust-hub — himalaya-email-manager