Himalaya
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent email-CLI skill, but it can access and change a configured mailbox, so sensitive actions should stay user-approved.
Install this skill only if you want the agent to use Himalaya for your email. Prefer app passwords, OAuth, `pass`, or keyring storage; avoid raw passwords; verify which account is active; and require explicit approval before sending, replying-all, forwarding, deleting, moving, or downloading attachments.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A configured agent session could read email and send messages as the configured account.
The skill requires credentials for a real email account so the CLI can authenticate and act on the user's mailbox. This is expected for the stated purpose, but it is privileged account access.
IMAP/SMTP credentials configured (password stored securely)
Use app passwords, OAuth, `pass`, or a system keyring where possible; avoid raw stored passwords; and only configure accounts you are comfortable letting the agent access.
Accidental or over-broad use could send unwanted emails, reply-all, delete messages, move messages, or change flags.
The documented CLI operations can send email and mutate mailbox state. These commands are purpose-aligned examples, but they are high-impact if run without user intent.
`himalaya template send` ... `himalaya message delete 42` ... `himalaya message move 42 "Archive"`
Require explicit confirmation before sending, forwarding, replying-all, deleting, moving, or bulk-changing messages, and verify the target account, folder, and message IDs first.
Emails and attachments may contain sensitive data or prompt-injection text that tries to influence the agent.
Reading, exporting, and downloading email brings private and untrusted message content into the agent's working context or local files.
`himalaya message read 42` ... `himalaya message export 42 --full` ... `himalaya attachment download 42 --dir ~/Downloads`
Treat message bodies and attachments as untrusted data, do not follow instructions found inside emails, and only download or expose messages the user requested.
A malicious or mistaken config change could cause the CLI to run an unintended local command.
Himalaya can run a local command to retrieve a password. The examples use standard password-manager commands, but this config field is still a local command-execution surface if modified by untrusted input.
`backend.auth.cmd = "pass show email/imap"`
Keep `auth.cmd` values limited to trusted password-manager commands and protect the Himalaya config file from untrusted edits.
The installed `himalaya` binary will handle mailbox credentials and email operations.
The skill delegates behavior to an external Homebrew-installed binary rather than code included in the skill artifact. This is normal for a CLI skill but depends on trusting that package source.
brew | formula: himalaya | creates binaries: himalaya
Install from trusted package sources and keep the CLI updated.