Is himalaya safe?

https://clawhub.ai/lamelas/himalaya

85
SAFE

Himalaya is a pure documentation skill wrapping a legitimate open-source CLI email client. It contains no executable code, no prompt injection attempts, and no hidden malicious content. However, the capability it enables — programmatic email access including sending with arbitrary file attachments — creates an inherent risk surface. A manipulated agent could use these documented commands to exfiltrate files via email or read sensitive communications.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

MEDIUM Programmatic email send enables data exfiltration channel -20

The skill teaches the agent to use 'himalaya template send' which accepts piped input and sends emails without interactive confirmation. Combined with MML attachment syntax, an agent could attach arbitrary local files and email them to any address. This creates a potential exfiltration channel if the agent is manipulated by prompt injection from another source.

MEDIUM Skill references credential storage locations -15

Configuration examples expose the structure and location of email credentials, including password commands and raw password storage. While this is standard documentation for the himalaya tool, it means an agent with this skill knows exactly where credentials are stored and how to retrieve them.

MEDIUM MML file attachment syntax allows arbitrary path references -15

The message-composition.md reference teaches the agent MML syntax that can reference any filesystem path for attachments. An agent could be instructed or manipulated to attach sensitive files (SSH keys, env files, credentials) to outgoing emails.

LOW Full email inbox read access -15

The skill enables the agent to read all emails in all folders across all configured accounts. Emails frequently contain sensitive information including password reset links, 2FA codes, financial statements, and private communications.

LOW Skill requests binary installation via brew -5

The metadata requests installation of the himalaya binary via Homebrew. This is a legitimate open-source tool from a known repository (pimalaya/himalaya), but it does add an external binary to the system.

INFO Platform agent reads sensitive files during startup -15

Filesystem monitoring captured reads of .env, .aws/credentials, and auth-profiles.json. These appear to be the host agent platform's normal startup behavior rather than skill-initiated activity, but they indicate the environment has access to sensitive credentials.