notion-plan

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill explicitly extracts full Notion page content and snapshot YAML (properties/comments) and outputs the complete structured Markdown into the conversation, so any secrets present in the page or snapshot would be copied verbatim into the LLM output.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill fetches and reads arbitrary Notion pages (Step 1 + Step 2d/2f use playwright-cli to load a user-provided Notion URL and extract page text/properties) and then passes the extracted, untrusted page content directly into /design (Step 5b) where it can influence subsequent actions, enabling indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill opens and evals Notion URLs at runtime (e.g., https://www.notion.so/workspace/Page-Title-abc123 and https://www.notion.so/login) via playwright-cli to fetch page/snapshot content which is then injected into the agent context and passed to /design, so external content directly controls prompts and is a required runtime dependency.