notion-spec-to-implementation
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill contains direct instructions for the agent to execute shell commands that modify the host system's configuration. Specifically, it commands the agent to run
codex --enable rmcp_clientor manually editconfig.tomlto enable remote MCP clients, which alters the agent's security posture. - [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs the agent to install an external tool from a remote URL using the command
codex mcp add notion --url https://mcp.notion.com/mcp. Executing tool installations from URLs provided within a skill is a high-risk pattern for Remote Code Execution (RCE). - [PROMPT_INJECTION] (LOW): The skill uses imperative framing and overrides ('If any MCP call fails... pause and set it up') to force the agent into performing configuration changes that would normally be outside its standard operating procedures.
- [DATA_EXPOSURE] (LOW): The skill requires the agent to perform an OAuth login (
codex mcp login notion), which, while standard for the tool, involves handling authentication tokens. - [INDIRECT_PROMPT_INJECTION] (LOW):
- Ingestion points: The skill uses
Notion:notion-fetchto read content from external Notion pages (SKILL.md). - Boundary markers: There are no markers or instructions provided to the agent to treat the fetched content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill possesses the ability to create and update pages, as well as execute shell commands to modify the agent environment.
- Sanitization: No sanitization or validation of the fetched Notion content is performed before the agent processes the requirements.
Recommendations
- AI detected serious security threats
Audit Metadata