notion-policy-guardrails
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands via Bash for auditing tasks, such as scanning for hardcoded Notion tokens using
grepand checking for uncommitted environment files withgit. It also executes local scripts vianpx ts-nodeas part of CI/CD workflows. - [DATA_EXFILTRATION]: The skill performs broad workspace searches and queries via the Notion API to retrieve metadata, including page titles, database IDs, and public sharing URLs. While this metadata retrieval is the primary purpose of an audit tool, it exposes the internal structure of the workspace to the agent's context.
- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it ingests untrusted data from the Notion API (page titles and database names) without sanitization. An attacker with access to the Notion workspace could manipulate the agent's behavior by naming pages with malicious instructions.
- Ingestion points: API search and query results from the Notion workspace (
SKILL.md). - Boundary markers: None present in the provided scripts to delimit untrusted data.
- Capability inventory: The skill possesses
Read,Write,Edit, andBashpermissions, which could be abused if the agent is successfully influenced via injection. - Sanitization: No filtering or validation is performed on the content retrieved from the Notion API.
Audit Metadata