notion
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill provides instructions to store the Notion API key in a plaintext file at
~/.config/notion/api_keyand uses shell commands (cat) to retrieve it for use in API requests. Storing secrets in plaintext on the local filesystem increases the risk of credential theft by other processes or users with access to the system. - [COMMAND_EXECUTION]: The skill relies on shell-based
curlcommands to interact with the Notion API and perform system operations such as directory creation. - [PROMPT_INJECTION]: An indirect prompt injection attack surface is present due to the skill's ability to ingest external content and perform subsequent write operations.
- Ingestion points: The skill fetches page content and block children from Notion via GET requests (
SKILL.md). - Boundary markers: No delimiters or specific instructions are provided to the agent to treat retrieved data as untrusted or to ignore instructions embedded within the content.
- Capability inventory: The skill possesses the capability to create and update content in Notion (POST/PATCH), which could be manipulated by malicious instructions retrieved during the ingestion phase.
- Sanitization: There is no evidence of validation, filtering, or sanitization of the content retrieved from external Notion sources before it is processed.
Audit Metadata