himalaya
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates reading emails from external, untrusted senders using
himalaya message read, creating a surface for indirect prompt injection. - Ingestion points: Untrusted data enters the context via the
himalaya message readandhimalaya envelope listcommands (SKILL.md). - Boundary markers: Absent. The skill provides no delimiters or instructions to treat email content as data rather than instructions.
- Capability inventory: The agent can send emails (
himalaya message write), delete messages (himalaya message delete), and download attachments to the local disk (himalaya attachment download) as documented in SKILL.md. - Sanitization: Absent. There is no evidence of filtering or escaping content retrieved from IMAP backends.
- [DATA_EXFILTRATION]: The skill documentation for message composition in
references/message-composition.mddescribes the use of MML tags like<#part filename=/path/to/file>. This allows the agent to attach any local file accessible to the user to an outgoing email, which could be exploited to exfiltrate sensitive data (e.g.,.ssh/id_rsaor.envfiles) if the agent is manipulated. - [COMMAND_EXECUTION]: The configuration reference in
references/configuration.mddetails thebackend.auth.cmdfeature. This parameter allows the tool to execute arbitrary shell commands (e.g.,passorsecurity) to retrieve passwords. While a standard feature of the CLI tool, it represents a mechanism for executing local commands based on the configuration state.
Audit Metadata