notion-spec-to-implementation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its core workflow of processing external content. \n
- Ingestion points: Untrusted data enters the context via
Notion:notion-fetchwhen reading specification pages from Notion, as documented inSKILL.mdandreference/spec-parsing.md. \n - Boundary markers: Analysis of the parsing logic in
reference/spec-parsing.mdreveals an absence of delimiters or specific instructions to the agent to disregard embedded commands within the fetched content. \n - Capability inventory: The skill has powerful write capabilities, including
Notion:notion-create-pagesandNotion:notion-update-page, which could be exploited by malicious content in a fetched page to manipulate the user's workspace. \n - Sanitization: There is no evidence of validation or sanitization of the content retrieved from external pages before it is used to generate plans and tasks. \n- COMMAND_EXECUTION (HIGH): The
SKILL.mdfile contains instructions for the agent to execute shell commands that modify the system environment and agent configuration. \n - Evidence: Workflow Step 0 in
SKILL.mddirects the agent to runcodex mcp add,codex --enable rmcp_client, and modifyconfig.toml. These actions represent a risk of privilege escalation or unauthorized system changes. \n- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the installation of an external MCP server from a remote URL. \n - Evidence: The instruction
codex mcp add notion --url https://mcp.notion.com/mcpinvolves a remote resource. While the domain is for a known service, it is not within the predefined [TRUST-SCOPE-RULE] whitelist.
Recommendations
- AI detected serious security threats
Audit Metadata