notion-automation
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill establishes an indirect prompt injection vulnerability surface by combining the ingestion of external data from Notion with the availability of powerful tools like Bash and file system access. An attacker could embed instructions in a Notion page that the agent might inadvertently execute.
- [PROMPT_INJECTION]: Mandatory Evidence Chain for Indirect Injection: (1) Ingestion points: Untrusted data enters the agent context via mcp__notionApi__* tools such as getBlockChildren, retrieveComments, and search in SKILL.md. (2) Boundary markers: Absent; there are no instructions or delimiters defined to separate Notion data from the agent's executable instructions. (3) Capability inventory: The agent is granted permissions for Bash, Read, Write, Edit, Grep, and Glob in SKILL.md. (4) Sanitization: Absent; no validation or escaping logic for retrieved Notion content is provided in the skill instructions.
Audit Metadata