notion-meeting-intelligence
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it retrieves data from untrusted Notion pages and processes it to create new materials. \n
- Ingestion points: Workflow Step 1 in
SKILL.mdutilizesNotion:notion-fetchto pull content from arbitrary workspace pages. \n - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the provided templates or prompts. \n
- Capability inventory: The agent has the authority to create and update pages (
Notion:notion-create-pages,Notion:notion-update-page), which could be exploited by an injection to exfiltrate data or modify workspace state. \n - Sanitization: There is no evidence of content validation or escaping before Notion data is used in synthesis. \n- [Remote Code Execution] (MEDIUM):
SKILL.md(Step 0) instructs the user to add an external Model Context Protocol (MCP) server fromhttps://mcp.notion.com/mcp, which involves downloading and executing remote logic within the agent's runtime. \n- [Command Execution] (MEDIUM): The skill's setup instructions require the user to execute shell commands to modify configuration files (config.toml) and enable specific feature flags (rmcp_client), altering the agent's security posture.
Recommendations
- AI detected serious security threats
Audit Metadata