Skills
skills/ashe-li/agent-skills/notion-plan/Gen Agent Trust Hub

notion-plan

Pass

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute various shell commands for browser automation and local file management.
  • Evidence: It executes playwright-cli for navigation and content extraction, ls to find temporary snapshot files, and sleep for timing control.
  • [EXTERNAL_DOWNLOADS]: The skill performs network operations to fetch data from external websites.
  • Evidence: It navigates to URLs on notion.so and notion.site to retrieve page content using playwright-cli.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted content from external Notion pages and provides it to the agent as context for the /design skill.
  • Ingestion points: Page content and properties are fetched from arbitrary Notion URLs via playwright-cli (SKILL.md, Step 2).
  • Boundary markers: The skill structures the content into Markdown but does not include explicit delimiters or instructions for the agent to ignore potentially malicious commands embedded in the Notion text.
  • Capability inventory: The skill has access to the Bash, Read, AskUserQuestion, and Skill tools.
  • Sanitization: The skill performs structural cleanup of the HTML/YAML data but does not sanitize the resulting text for natural language instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 9, 2026, 02:13 AM