notion-meeting-intelligence
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted data from external sources and possesses write capabilities. Ingestion points: Notion content retrieved via notion-search and notion-fetch, plus Codex research data. Boundary markers: None present to separate external content from system instructions. Capability inventory: Ability to create and update Notion pages (notion-create-pages, notion-update-page). Sanitization: No evidence of input filtering or sanitization. An attacker could place malicious instructions in a Notion document to manipulate the agent's behavior during meeting prep.
- [External Downloads / Unverifiable Dependencies] (MEDIUM): The skill instructs the user to add a remote MCP tool from a third-party URL (https://mcp.notion.com/mcp). While the domain belongs to Notion, this establishes a pattern of executing remote tool definitions.
- [Command Execution / Privilege Escalation] (MEDIUM): The workflow requires the user to modify local configuration to enable 'rmcp_client', which expands the agent's attack surface by allowing it to connect to remote services.
Recommendations
- AI detected serious security threats
Audit Metadata