notion
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes untrusted data from the Notion API. Malicious instructions embedded in Notion pages or databases could attempt to hijack the agent's behavior. \n
- Ingestion points: The skill ingests data through various API endpoints, including
GET /v1/pages/{page_id},GET /v1/blocks/{page_id}/children, andPOST /v1/search. \n - Boundary markers: No explicit delimiters or instructions to disregard embedded commands are included in the skill's examples or logic. \n
- Capability inventory: The agent can perform network requests (
curl) and read local files (cat). \n - Sanitization: There is no evidence of sanitization or safety-filtering of the content retrieved from the Notion API. \n- [COMMAND_EXECUTION]: The skill utilizes system commands like
curlandcat. While these are used for their intended purpose of API communication and configuration management, they represent capabilities that must be managed carefully. \n- [DATA_EXFILTRATION]: The skill accesses a sensitive file path at~/.config/notion/api_keyto retrieve authentication credentials. While this is standard for local tool configuration, it is documented as a sensitive operation due to the nature of the file being accessed.
Audit Metadata