ClawHub

Himalaya

v1.0.0

CLI to manage emails via IMAP/SMTP. Use `himalaya` to list, read, write, reply, forward, search, and organize emails from the terminal. Supports multiple acc...

0· 82·0 current·0 all-time
by@utromaya-code
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name/description match the declared requirements: it needs the himalaya binary and offers a brew install for it. There are no unrelated binaries, env vars, or config paths requested.
Instruction Scope
SKILL.md instructs the agent to use a config file at ~/.config/himalaya/config.toml, run himalaya commands, and (optionally) use password helpers (pass, keyring, security). These are appropriate for an email CLI, but the instructions also show examples that (a) can store raw passwords in the config (marked as 'testing only') and (b) invoke external password commands (e.g., pass show ... or security find-generic-password -w) which will execute commands that produce secrets. The docs also allow attaching local files via MML (filename=/path/to/...), which means the CLI will access arbitrary local paths if used that way. None of this is unexpected for an email client, but it is sensitive and worth noting.
Install Mechanism
Install is a Homebrew formula 'himalaya' which is a standard, low-risk install mechanism for a CLI. No arbitrary downloads or custom extraction steps are used.
Credentials
The skill does not request environment variables or credentials via the skill manifest. The documented configuration appropriately requires IMAP/SMTP credentials (via raw, cmd, or keyring), which is proportional for an email client. Users should prefer keyring or a secure password helper rather than embedding raw passwords in config. Using auth.cmd runs arbitrary helper commands (e.g., pass) so the helper’s behavior and permissions matter.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-level privileges or modify other skills. It is user-invocable and allows autonomous invocation (the platform default), which is expected for skills.
Assessment
This skill is coherent for managing email via the Himalaya CLI. Before installing: (1) verify you trust the Homebrew formula/source (the homepage points to the GitHub repo), (2) avoid placing raw passwords in ~/.config/himalaya/config.toml — prefer the system keyring or a vetted password helper, (3) review any password helper commands you configure (auth.cmd) because they will be executed to retrieve secrets, and (4) be mindful that composing MML messages may reference local files (attachments) so don’t use the skill to auto-attach sensitive files unless you intend to. If you want extra caution, install the CLI manually, inspect it locally, and confine credentials to a secure store before using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fwk5njeqqhdmr80cyta6des83c9qm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis
Binshimalaya

Install

Install Himalaya (brew)
Bins: himalaya
brew install himalaya

Comments