notion-automation

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md explicitly requires calls like NOTION_FETCH_BLOCK_CONTENTS, NOTION_FETCH_COMMENTS, and NOTION_FETCH_DATABASE to read user-generated Notion pages, blocks, and comments (SKILL.md "Manage Blocks and Page Content" and "Manage Users and Comments"), so the agent ingests untrusted third‑party content that can influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly requires connecting to the Rube MCP endpoint https://rube.app/mcp and calling RUBE_SEARCH_TOOLS at runtime to fetch tool schemas that directly determine the agent's tool prompts/instructions, and that MCP connection is a required dependency.