notion
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the ingestion of external data from the user's Notion workspace.
- Ingestion points: Content is retrieved from Notion pages via
pages/scripts/notion_pages.py(get command) and from databases viadatabases/scripts/notion_databases.py(query command). - Boundary markers: The instructions do not specify any delimiters (such as XML tags or triple backticks) to separate retrieved external content from the agent's core instructions.
- Capability inventory: The agent can perform write operations (create/update) via the Notion API, manage its own local configuration file, and execute its internal Python scripts to perform tasks.
- Sanitization: There is no evidence of sanitization or filtering of the retrieved Notion content before it is passed to the agent's context.
Audit Metadata