himalaya

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by reading external data (emails).
  • Ingestion points: The skill uses himalaya envelope list and himalaya message read to pull external email content into the agent's context (referenced in SKILL.md).
  • Boundary markers: No specific delimiters or "ignore instructions" warnings are utilized to wrap the email content.
  • Capability inventory: The skill allows for sending, replying to, and deleting emails, which could be abused if the agent follows malicious instructions hidden in an incoming email.
  • Sanitization: There is no evidence of sanitization or filtering of the email body or headers before processing.
  • [COMMAND_EXECUTION]: The skill's core functionality relies on executing the himalaya CLI tool.
  • Evidence: Multiple shell commands in SKILL.md (e.g., himalaya account configure, himalaya message send) invoke the external binary to perform operations.
  • [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the Himalaya CLI via a well-known package manager.
  • Evidence: The YAML frontmatter in SKILL.md includes an installation step using brew for the himalaya formula. Homebrew is a well-known service.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 06:06 AM
Security Audit — agent-trust-hub — himalaya