himalaya

Fail

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill provides installation instructions in SKILL.md that download and execute a script from a remote URL using curl -sSL https://raw.githubusercontent.com/pimalaya/himalaya/master/install.sh | PREFIX=~/.local sh. This allows for arbitrary code execution from a third-party source.
  • [CREDENTIALS_UNSAFE]: The skill requires access to ~/.config/himalaya/config.toml in SKILL.md and references/configuration.md, which contains sensitive IMAP and SMTP credentials. The documentation also provides examples of potentially unsafe plain-text passwords.
  • [DATA_EXFILTRATION]: The skill provides the ability to read and send emails, which allows the agent to access private messages and transmit data to external recipients as part of its core functionality.
  • [PROMPT_INJECTION]: The skill processes untrusted email content from the himalaya message read command, creating a surface for indirect prompt injection.
  • Ingestion points: Raw email bodies are read into the agent's context in SKILL.md.
  • Boundary markers: None provided to separate untrusted email content from agent instructions.
  • Capability inventory: The skill can send emails, download files, and manage folders via the himalaya CLI.
  • Sanitization: There is no filtering or validation of the email content before it is processed by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 16, 2026, 01:45 PM
Security Audit — agent-trust-hub — himalaya