himalaya
Fail
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides installation instructions in
SKILL.mdthat download and execute a script from a remote URL usingcurl -sSL https://raw.githubusercontent.com/pimalaya/himalaya/master/install.sh | PREFIX=~/.local sh. This allows for arbitrary code execution from a third-party source. - [CREDENTIALS_UNSAFE]: The skill requires access to
~/.config/himalaya/config.tomlinSKILL.mdandreferences/configuration.md, which contains sensitive IMAP and SMTP credentials. The documentation also provides examples of potentially unsafe plain-text passwords. - [DATA_EXFILTRATION]: The skill provides the ability to read and send emails, which allows the agent to access private messages and transmit data to external recipients as part of its core functionality.
- [PROMPT_INJECTION]: The skill processes untrusted email content from the
himalaya message readcommand, creating a surface for indirect prompt injection. - Ingestion points: Raw email bodies are read into the agent's context in
SKILL.md. - Boundary markers: None provided to separate untrusted email content from agent instructions.
- Capability inventory: The skill can send emails, download files, and manage folders via the
himalayaCLI. - Sanitization: There is no filtering or validation of the email content before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata