notion-ops
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in 'references/mcp-continuation.md' direct the agent to execute contents of the 'Resume Command' field retrieved from a Notion database. This creates a capability where untrusted data from the database is directly executed as a command.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes and acts upon instructions stored in external Notion databases without sanitization. (1) Ingestion points: The agent reads data from fields such as 'Instructions', 'Next Action', and 'Resume Command' within the 'Total tasks', 'Handoffs', and 'Context Packets' databases defined in 'references/database-contracts.md'. (2) Boundary markers: The skill does not define any delimiters or 'ignore' instructions to separate database content from agent logic. (3) Capability inventory: The agent can modify Notion workspaces and execute shell commands via the 'Resume Command' logic. (4) Sanitization: No validation or sanitization of the Notion data is performed before the agent processes it.
Audit Metadata