notion-skill
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructs users to store Notion Internal Integration Secrets in a plaintext JSON configuration file (
~/.claude/skills/notion-skill/config.json). Storing secrets in plaintext on the local filesystem increases the risk of credential exposure if the host environment is compromised. - [COMMAND_EXECUTION]: The
notion_skill.pyscript'sexportcommand allows users to specify an arbitrary file path for output via the--outputargument. This capability could be abused to overwrite sensitive system or configuration files (such as shell profiles) if the agent is manipulated into executing the command with malicious parameters. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from external sources (Notion pages and databases).
- Ingestion points: Content is retrieved from Notion via the
query,page, andsearchcommands innotion_skill.py. - Boundary markers: The script does not use delimiters or provide instructions to the agent to ignore embedded commands within the retrieved content.
- Capability inventory: The skill has file-writing capabilities through the
exportcommand and operates within a Bash tool environment. - Sanitization: There is no validation or sanitization of the text content fetched from Notion before it is returned to the agent.
- [SAFE]: The skill communicates exclusively with the official Notion API (
api.notion.com), which is a well-known and trusted technology service.
Audit Metadata