notion-custom-mcp
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXPOSURE]: The skill is designed to interface with internal business databases (StonePro ERP) and Notion workspaces containing customer, job, and order data. This establishes a broad data access surface for the agent.
- [PROMPT_INJECTION]: The execute_query tool accepts SQL SELECT statements directly. This interface represents a risk where an attacker could influence the agent to construct complex queries aimed at bypassing validation filters or exfiltrating sensitive schema information.
- [INDIRECT_PROMPT_INJECTION]: The skill handles data from external, potentially untrusted sources. Ingestion points: Data enters the agent context through SQL query results (execute_query) and Notion content (notion_get_page_content, notion_query_database). Boundary markers: The instructions do not specify any delimiters or warnings for the agent to distinguish between system instructions and the data it retrieves. Capability inventory: The skill provides extensive tools for discovering and reading data across different platforms. Sanitization: While the documentation claims the server validates SQL queries, there is no mention of sanitizing or escaping content retrieved from Notion, which could contain malicious embedded instructions.
Audit Metadata