client-package-notion
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it ingests and processes data from external files that could contain malicious instructions.
- Ingestion points: The skill reads all files within the
clients/<client_name>/directory, including markdown documents and CSV files (SKILL.md, Step 1). - Boundary markers: No boundary markers or instructions to ignore embedded commands are implemented when processing these files.
- Capability inventory: The skill has the capability to write to Google Sheets and create/modify Notion pages via MCP servers.
- Sanitization: The procedure does not specify any sanitization or filtering of the content read from files before it is interpolated into Notion pages or Google Sheets.
- [DATA_EXFILTRATION]: There is a potential risk of data exposure through directory traversal.
- Evidence: The skill uses the
client_nameinput to construct filesystem paths:clients/<client_name>/(SKILL.md, Step 1). If the underlying execution environment does not sanitize this input, an attacker could use relative path segments (e.g.,../../) to read sensitive files from the host system and subsequently "package" them into the external Notion or Google Sheets workspace.
Audit Metadata