notion
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Data Exposure (MEDIUM): The skill accesses a sensitive credential file path at
~/.config/notion/api_keyto retrieve API tokens. While this is the intended setup for authenticating with the Notion API, the use of hardcoded paths for secrets is a risk factor. - Evidence:
NOTION_KEY=$(cat ~/.config/notion/api_key) - Network Destination: Data is sent to
api.notion.com, which is the legitimate service but not on the whitelisted domain list. - Indirect Prompt Injection (LOW): The skill retrieves content from external Notion pages and databases, creating a surface where malicious instructions embedded in that content could influence agent behavior.
- Ingestion points:
api.notion.com/v1/search,api.notion.com/v1/pages/{page_id}, andapi.notion.com/v1/blocks/{page_id}/children. - Boundary markers: Absent. The skill documentation does not provide delimiters or instructions for the agent to ignore embedded commands within the retrieved page content.
- Capability inventory: The agent can execute network requests and modify data via
curlbased on these inputs. - Sanitization: Absent. Content is retrieved and processed without specific filtering or escaping for potential injection attacks.
Audit Metadata