notion
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides multiple
curlcommands that the agent is expected to execute to search, read, and modify Notion content. - [DATA_EXFILTRATION]: The skill accesses a sensitive local file path
~/.config/notion/api_keyto retrieve authentication credentials. Although the credentials are used to communicate with the official Notion API, accessing local configuration files is a security-relevant behavior. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through content ingested from external Notion pages. 1. Ingestion points: Data is ingested from Notion via API calls to retrieve pages, blocks, and database query results. 2. Boundary markers: The skill does not provide delimiters or instructions to help the agent distinguish between informational data and embedded instructions. 3. Capability inventory: The agent has the ability to both read from and write to the Notion API, which could be leveraged if malicious instructions are processed. 4. Sanitization: There is no evidence of sanitization or validation of the content fetched from Notion.
Audit Metadata