himalaya
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by reading external data (emails).
- Ingestion points: The skill uses
himalaya envelope listandhimalaya message readto pull external email content into the agent's context (referenced inSKILL.md). - Boundary markers: No specific delimiters or "ignore instructions" warnings are utilized to wrap the email content.
- Capability inventory: The skill allows for sending, replying to, and deleting emails, which could be abused if the agent follows malicious instructions hidden in an incoming email.
- Sanitization: There is no evidence of sanitization or filtering of the email body or headers before processing.
- [COMMAND_EXECUTION]: The skill's core functionality relies on executing the
himalayaCLI tool. - Evidence: Multiple shell commands in
SKILL.md(e.g.,himalaya account configure,himalaya message send) invoke the external binary to perform operations. - [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of the Himalaya CLI via a well-known package manager.
- Evidence: The YAML frontmatter in
SKILL.mdincludes an installation step usingbrewfor thehimalayaformula. Homebrew is a well-known service.
Audit Metadata