notion
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it retrieves and processes content from external Notion pages and databases which may contain untrusted instructions.
- Ingestion points: The skill reads page metadata, block content, and database query results through endpoints like /v1/pages, /v1/blocks/{id}/children, and /v1/data_sources/{id}/query in SKILL.md.
- Boundary markers: The instructions do not specify the use of delimiters or clear separation between retrieved data and agent instructions.
- Capability inventory: The skill utilizes shell commands via curl for network communication and cat for local file access.
- Sanitization: There is no evidence of sanitization or validation of the content fetched from the Notion API before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill relies on curl commands to perform API requests. These operations target api.notion.com, which is the official domain for a well-known service, and the use of the tool is consistent with the skill's stated purpose.
Audit Metadata