Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Himalaya Cli
v0.0.2CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple acc...
⭐ 2· 911·9 current·10 all-time
byJonathan Cohen@cohenyehonatan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the actual instructions: the skill simply runs the himalaya email CLI and offers help for common commands. The declared install (brew formula 'himalaya') and required binary ('himalaya') are appropriate. Minor inconsistency: the SKILL.md requires a local config file (~/.config/himalaya/config.toml) and IMAP/SMTP credentials, but the registry metadata did not list required config paths or credentials.
Instruction Scope
SKILL.md confines itself to invoking himalaya commands (list, read, write, reply, forward, search, manage attachments, etc.). It does not instruct the agent to read unrelated system files or exfiltrate data to external endpoints. It does reference local files (attachments, config path) and standard env vars ($EDITOR, RUST_LOG) which are reasonable for a CLI email client.
Install Mechanism
Install is via a Homebrew formula ('himalaya'), which is a normal, low-risk package manager install. No arbitrary URL downloads or archive extraction are used by the skill metadata.
Credentials
The skill metadata declares no required environment variables, which is fine because the CLI itself uses user-local config for credentials. The SKILL.md explicitly describes storing IMAP/SMTP passwords in ~/.config/himalaya/config.toml (including discouraged raw passwords) or retrieving them via commands like 'pass' or system keyring. This is expected for an email client, but users should be aware that credentials live locally (or are retrieved by shell commands) and the skill metadata does not declare those config requirements.
Persistence & Privilege
always:false and standard user-invocable/autonomous invocation defaults are used. The skill does not request persistent presence or modify other skills or system-wide agent settings.
Scan Findings in Context
[no-findings] expected: The regex-based scanner found nothing to analyze because this is an instruction-only skill with no code files. That absence is expected but not evidence of safety — the SKILL.md is the primary surface to review.
Assessment
This skill is a wrapper for the Himalaya terminal email client and is internally consistent. Before installing: 1) Confirm you trust the Homebrew formula source (inspect the formula or upstream repo) because it will install a binary that accesses your mail servers. 2) Prepare your ~/.config/himalaya/config.toml and IMAP/SMTP credentials — avoid storing plaintext passwords in the config; prefer keyring or a password manager (the SKILL.md shows 'pass' as an option). 3) Be aware the CLI may execute commands you configure for password retrieval (e.g., 'pass show ...'), so ensure those commands are safe and their outputs are protected. 4) Check any attachment paths you use (they reference local files) and the editor ($EDITOR) behavior. If you need the agent to send/read mail on your behalf, consider limiting account scope (app-specific passwords) and reviewing the binary's source/release checksums first.Like a lobster shell, security has layers — review code before you run it.
latestvk9799yvhnjhevezrxf26wtktc581n8pd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📧 Clawdis
Binshimalaya
Install
Install Himalaya (brew)
Bins: himalaya
brew install himalaya