notion
Pass
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill instructs the user to store their Notion API key in
~/.config/notion/api_keyand provides snippets to read this file and transmit the key toapi.notion.com. Since Notion is a well-known service and the transmission is via its official API endpoint for the skill's primary purpose, this is documented as expected behavior.\n- [INDIRECT_PROMPT_INJECTION]: The skill facilitates the ingestion of content from external Notion pages and databases, which introduces a surface for indirect prompt injection.\n - Ingestion points: Data is ingested via
GET /v1/pages/{page_id},GET /v1/blocks/{page_id}/children, andPOST /v1/searchendpoints.\n - Boundary markers: The provided examples do not include delimiters or instructions to ignore instructions embedded within the fetched Notion data.\n
- Capability inventory: The skill's capabilities are restricted to network communication with Notion's API via
curl.\n - Sanitization: No sanitization or content filtering is implemented for the data retrieved from the Notion API.
Audit Metadata