company-admin
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION] (HIGH): The skill is explicitly designed to process and handle highly sensitive personally identifiable information (PII).
- Evidence: The "What Goes Where" table specifically lists passport numbers, SSNs, Dates of Birth, and personal addresses as data the skill should manage.
- Risk: While the skill advises against echoing these values in chat, the presence of this data in the agent's context increases the risk of accidental exposure or exfiltration via other malicious instructions.
- [PROMPT_INJECTION] (HIGH): The skill exhibits a significant vulnerability to Indirect Prompt Injection (Category 8).
- Ingestion points:
notion_notion-fetchused in Step 2 to read content from various Notion Page IDs. - Boundary markers: Absent. There are no instructions to use delimiters or ignore instructions embedded within the fetched Notion content.
- Capability inventory: Includes
notion_notion-update-page(writing to Notion) and shell command execution (cat, redirection). - Sanitization: Absent. The skill does not provide methods to escape or validate data retrieved from Notion before using it to perform updates or shell operations.
- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes shell commands to manage local configuration, which could be exploited if combined with a prompt injection.
- Evidence: Step 1 and the "First-Time Setup" section use
catand shell redirection (cat > .env) to read and write configuration files. - Risk: An attacker-controlled Notion page could provide malicious input that, when processed by the agent during setup or configuration loading, leads to unauthorized file modification.
Recommendations
- AI detected serious security threats
Audit Metadata