ClawHub

Himalaya 1.0.0

v1.0.0

CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple acc...

0· 100·3 current·3 all-time
by@guogithubname
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (himalaya), and the brew install all align with a CLI email client. Nothing in the manifest asks for unrelated cloud credentials or unusual system access.
Instruction Scope
SKILL.md instructs the user/agent to create and edit ~/.config/himalaya/config.toml, run the himalaya binary, open $EDITOR, and potentially reference local files for attachments. It also documents backend.auth.cmd entries (e.g., 'pass show ...') which invoke external commands to retrieve passwords. These actions are expected for an email CLI but do involve local file reads, command execution for password retrieval, and use of attachments paths — all of which could access user secrets or files if configured that way.
Install Mechanism
Install spec is a Homebrew formula for 'himalaya' which is an appropriate and low-risk delivery mechanism for a CLI tool. No arbitrary URL downloads or extracted archives are declared.
Credentials
The skill declares no required environment variables or credentials. The SKILL.md suggests storing credentials via pass/keyring or raw config (the latter is explicitly discouraged in the docs). The suggested auth methods are appropriate for an email client and proportional to purpose.
Persistence & Privilege
always:false (not force-enabled). disable-model-invocation:false (default) means an agent MAY invoke the skill autonomously when eligible — this is normal but means the agent could run the himalaya binary and thereby access configured mail accounts if present.
Assessment
This skill is internally consistent with an email CLI, but consider these practical precautions before installing and configuring it: 1) Verify the Homebrew formula source (official repo) before installing. 2) Avoid storing raw passwords in ~/.config/himalaya/config.toml; prefer a system keyring or a password manager command (e.g., pass) as documented. 3) Be aware that the agent (unless explicitly restricted) can invoke the himalaya binary and thereby access any mail accounts you configure — only configure accounts you trust and don’t expose credentials you’re not willing to let the agent use. 4) When composing messages or adding attachments, instructing the tool to attach local files will read those paths — avoid attaching sensitive local files unintentionally. 5) If you want tighter control, disable autonomous skill invocation for this skill or only use it when explicitly invoked.

Like a lobster shell, security has layers — review code before you run it.

latestvk978af6q0tjz2msn195bn2wrhs83kv34

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis
Binshimalaya

Install

Install Himalaya (brew)
Bins: himalaya
brew install himalaya

Comments