notion
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill provides examples that read an API key from a local configuration file (~/.config/notion/api_key) and include it in requests to the official Notion API (api.notion.com). While this is the intended authentication method for the service, accessing sensitive filesystem paths and transmitting credential data is a risk factor.
- [PROMPT_INJECTION]: The skill interacts with external content from Notion, creating a surface for indirect prompt injection attacks.
- Ingestion points: Content is retrieved via page and block retrieval endpoints as described in SKILL.md.
- Boundary markers: No explicit delimiters or instructions to isolate external data from the agent's instructions are present in the provided examples.
- Capability inventory: The skill includes write capabilities such as creating pages and updating properties via PATCH and POST requests in SKILL.md.
- Sanitization: No sanitization or validation of retrieved external data is demonstrated in the examples.
Audit Metadata