PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent email skill, but installing it means allowing the agent to read private mail and send messages through your configured email account when you approve.
This skill appears purpose-aligned for managing email. Before installing, make sure you are comfortable giving the agent access to the configured mailbox, use revocable app passwords or OAuth where possible, and require explicit confirmation before any send, delete, move, or bulk mailbox operation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent can send email from your account, so mistakes in recipients or content could affect real people.
The skill can send email through a CLI, which is a high-impact action, but the documented workflow requires the user to review and explicitly approve the message first.
**NEVER auto-send.** Always follow this flow: ... Show user the complete message ... Wait for explicit "send" or "OK" ... Execute `himalaya message send`
Review every recipient, subject, and body before confirming send, especially for replies, attachments, or bulk messages.
Anyone or any agent action using this setup may be able to read and send mail for the configured account.
The skill uses email account credentials via Keychain and himalaya configuration. This is expected for email access, but it grants access to the configured mailbox.
**Credentials:** - App Password for Gmail (not regular password), stored in macOS Keychain - Configure in `~/.config/himalaya/config.toml`
Use app passwords or OAuth tokens that can be revoked, keep the config file protected, and only configure accounts you are comfortable exposing to the agent.
Private messages, sender information, and attachments may be surfaced to the agent during searches or reads.
The skill can read local mail indexes and message or attachment files, which may bring private email content into the agent's working context.
**Read-only paths:** - `~/Library/Mail/V*/MailData/Envelope Index` - `~/Library/Mail/V*/MAILBOX/Messages/`
Ask for narrow searches by folder, sender, or date range, and treat email contents as untrusted data rather than instructions.
The security of the skill's mail operations depends on the installed himalaya binary and its configuration.
The skill depends on an external CLI installed outside the skill package. This is normal for the stated purpose, but the user must trust that dependency.
brew install himalaya # or cargo install himalaya
Install himalaya from a trusted package source and keep it updated.