notion-plan
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from external Notion URLs and passes it to the
/designskill for further action. - Ingestion points: Data enters the agent's context through
mcp__playwright__browser_snapshotandmcp__playwright__browser_evaluateinSKILL.md. - Boundary markers: No specific delimiters or instructions to ignore embedded commands are used when passing the extracted content to the next skill.
- Capability inventory: The extracted content is processed by the
Skill(skill="design", ...)tool, which performs planning and potentially file generation tasks. - Sanitization: The skill performs structural formatting and UI removal but does not sanitize the text against embedded instructions or malicious prompts.
- [COMMAND_EXECUTION]: The skill utilizes
mcp__playwright__browser_evaluateto execute predefined JavaScript snippets within the browser context. While these scripts are used for legitimate automation—such as expanding toggles and scrolling—they represent a dynamic code execution capability. - [EXTERNAL_DOWNLOADS]: The skill navigates to and processes content from external domains (Notion) using browser automation tools. While focused on Notion, the tool provides the agent with the ability to interact with and retrieve data from the public internet based on user-supplied URLs.
Audit Metadata