sync-notion
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill reads and interprets content from user-controlled files such as CLAUDE.md and session logs (log/*.md) to extract project metadata and updates. This presents a potential surface for indirect prompt injection if those files contain malicious instructions.
- Ingestion points: Reads CLAUDE.md and files in the log/ directory via the Read tool.
- Boundary markers: None specified; the agent is instructed to read content and extract metadata directly.
- Capability inventory: The skill has the ability to write to central context files (.context/projects/_index.md, .context/current-focus.md) and update Notion database entries via MCP tools.
- Sanitization: No sanitization or validation of the extracted content is mentioned before it is used to update other files or Notion.
- [COMMAND_EXECUTION]: The skill uses the Bash tool with a restricted pattern (ls*) to locate the most recent session logs. This is a limited and appropriate use of shell commands for file discovery.
- [DATA_EXFILTRATION]: The skill transfers project metadata (Stage, Target Journal, Status) to a Notion database. This uses dedicated Notion MCP tools and targets a database ID provided by the user, which is consistent with the skill's intended purpose.
Audit Metadata