notion-mcp
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill possesses an attack surface for indirect prompt injection due to its data ingestion capabilities.
- Ingestion points: The tools defined in
search.md,retrieve_block_children.md,retrieve_database.md, andquery_database.mdall ingest data from external Notion workspaces into the agent's context. - Boundary markers: There are no explicit instructions or delimiters defined to isolate retrieved data from the agent's core logic.
- Capability inventory: The skill has the capability to read extensive workspace data and write/modify content via
append_block_children.md. - Sanitization: No sanitization or validation logic is present to filter malicious instructions embedded within Notion blocks before they are interpreted by the LLM.
- Credentials Unsafe (SAFE): Documentation in
append_block_children.mdcorrectly identifies the need for aNOTION_API_KEYas a configuration requirement, but no actual secrets or keys are hardcoded in the skill files.
Audit Metadata