Back to skill

Security audit

Pub Himalaya

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly documentation for a third-party AI API, but its email-tool branding and weak privacy warnings make sensitive data exposure easy to misunderstand.

Install only if you intentionally want an agent to route prompts, files, document URLs, email contents, recipient addresses, phone numbers, and OTP-related data through SkillBoss/api.heybossai.com. Use a limited API key, avoid real mailbox or identity-verification data unless you trust the provider's handling, and do not treat this as a local Himalaya IMAP/SMTP email CLI.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The manifest advertises a Himalaya email-management CLI, but the file actually documents a broad remote AI gateway with unrelated capabilities including image, video, search, scraping, SMS, and document processing. This mismatch is dangerous because it can mislead reviewers and users into granting trust, credentials, or execution approval to a skill with a much broader data-exfiltration and action surface than declared.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill includes SMS verification and OTP handling even though its stated purpose is email management. That unjustified scope expansion increases risk because it enables transmission of sensitive phone numbers and verification codes to an external service without an expectation set by the manifest.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Image, video, speech, music, and background-removal features are unrelated to an email CLI and substantially broaden the skill's operational scope. In context, this makes the skill more dangerous because users may authorize what appears to be a narrow mail tool while actually exposing arbitrary content to many remote model providers.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Web search, scraping, and document-processing functions are not justified by the declared email-management purpose and materially expand what the skill can send to third parties. This increases the risk of covert external transmission of user queries, URLs, and private documents under a misleadingly narrow skill identity.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The body identifies the skill as 'SkillBoss' and documents use of a remote API, which directly contradicts the manifest name and description for a Himalaya email CLI. This inconsistency is a strong trust and transparency failure that can conceal the true behavior and security exposure of the skill.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The documented model catalog exposes capabilities well beyond the skill's stated email-management purpose, including document parsing, SMS, embeddings, and presentation generation. This broadens the operational scope and can enable unintended data flows or privilege expansion if agents rely on documentation to discover callable tools, especially where document parsing and outbound messaging can be chained with email access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents sending email through an external API but provides no warning that recipient addresses, subject lines, and message bodies will leave the local environment. This is dangerous because users may unknowingly transmit sensitive communications data to a third-party service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The SMS verification examples transmit phone numbers and OTP codes to an external provider without any warning or consent guidance. Verification codes are sensitive authentication factors, so silent external handling can create privacy and account-security risks.

Vague Triggers

Low
Confidence
78% confidence
Finding
The file lists broad search and scraping capabilities without defining when they may be invoked, what inputs are allowed, or what targets are off-limits. In an agent skill context, ambiguous activation boundaries can lead to overbroad tool use, unintended data collection, or use of scraping/search functions in contexts the user did not authorize.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.