notion-spec-to-implementation
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill is designed to ingest and act on external data from Notion pages, creating an attack surface for indirect prompt injection.
- Ingestion points: External content is fetched using
Notion:notion-fetchbased on search results fromNotion:notion-search, as described inSKILL.md. - Boundary markers: The parsing logic in
reference/spec-parsing.mdand the implementation templates do not include markers or instructions to isolate the specification content from the agent's system instructions. - Capability inventory: The agent has the ability to create and update Notion pages (
Notion:notion-create-pages,Notion:notion-update-page). Malicious content within a spec could influence the agent to perform unauthorized or misleading modifications within the Notion environment. - Sanitization: No sanitization or verification of the fetched specification data is performed before it is used to generate tasks and plans.
Audit Metadata