notion
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill provides an interface for reading and processing external content from Notion pages, which introduces a surface for indirect prompt injection.
- Ingestion points: Workflows in research-documentation.md and spec-to-implementation.md utilize the notion_fetch tool to ingest content from user-specified Notion pages.
- Boundary markers: The current templates and guides do not specify the use of delimiters (such as XML tags or triple quotes) or explicit 'ignore embedded instructions' warnings when handling fetched content.
- Capability inventory: The skill includes write-capable tools such as notion_create_page, notion_update_page, and notion_append_blocks which could be misused if the agent inadvertently follows instructions embedded in fetched data.
- Sanitization: No content sanitization or validation logic is specified in the provided markdown files for retrieved data.
- [NO_CODE]: This skill does not include any executable script files (.py, .js, .sh) or software package manifests; it consists entirely of tool definitions and markdown documentation.
Audit Metadata