notion-reader
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script explicitly accesses and extracts sensitive session information (
token_v2) from the private cookie store of the Notion desktop application located at~/Library/Application Support/Notion/Cookies. This practice of harvesting credentials from other applications' data stores is a significant security risk. - [CREDENTIALS_UNSAFE]: Extracted authentication tokens are stored in plain text in a local configuration file at
~/.config/notion-reader/config.json, making them vulnerable to access by any other process on the system. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection. It ingests untrusted data from external Notion pages and provides it to the agent without sanitization or boundary markers.
- Ingestion points: Content is fetched via the
_fetch_page_contentfunction inscripts/notion_reader.py. - Boundary markers: None identified; external content is returned as raw text/markdown.
- Capability inventory: The skill allows use of
BashandReadtools, which could be exploited if the agent follows malicious instructions embedded in a fetched Notion page. - Sanitization: No escaping or validation is performed on the content retrieved from Notion before it is passed to the agent context.
Recommendations
- AI detected serious security threats
Audit Metadata