Skills
skills/cuba6112/skillfactory/notion-research-documentation/Gen Agent Trust Hub

notion-research-documentation

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [Prompt Injection] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It retrieves untrusted content from the Notion workspace and possesses the write permissions required to execute malicious instructions found within that data.
  • Ingestion points: Retrieves arbitrary page content via Notion:notion-fetch as described in SKILL.md.
  • Boundary markers: Absent; the workflow and templates do not use delimiters or instructions to disregard malicious prompts embedded in the fetched content.
  • Capability inventory: Employs Notion:notion-create-pages and Notion:notion-update-page to modify workspace state based on the researched data.
  • Sanitization: Absent; no escaping or validation is performed on retrieved content before it is processed for synthesis.
  • [Command Execution] (MEDIUM): The SKILL.md workflow instructs the agent to perform system-level configuration changes, including codex --enable rmcp_client and codex mcp login.
  • [External Downloads] (MEDIUM): The skill directs the installation of an MCP tool from an external, unverifiable URL (https://mcp.notion.com/mcp) using codex mcp add.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 12:55 PM