notion-automation
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection attacks. It ingests data from Notion which could contain hidden instructions that override the agent's behavior.
- Ingestion points: Content is retrieved via tools like NOTION_FETCH_BLOCK_CONTENTS, NOTION_QUERY_DATABASE, and NOTION_FETCH_COMMENTS as described in SKILL.md.
- Capability inventory: The skill provides powerful write and delete capabilities including NOTION_ARCHIVE_NOTION_PAGE, NOTION_REPLACE_PAGE_CONTENT, NOTION_DELETE_BLOCK, and NOTION_UPDATE_SCHEMA_DATABASE.
- Boundary markers: There are no instructions or delimiters defined to separate untrusted Notion content from system instructions.
- Sanitization: There is no evidence of sanitization or validation of the content retrieved from Notion before the agent processes it.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on an untrusted external MCP server endpoint (https://rube.app/mcp). While necessary for functionality, this external dependency is not part of a trusted organization or repository list, posing a risk of supply chain attack or data interception by the proxy service.
Recommendations
- AI detected serious security threats
Audit Metadata