notion
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes untrusted data from external Notion pages and databases, which could contain malicious instructions.
- Ingestion points: Data enters the agent's context through the Notion API via endpoints such as
GET /v1/blocks/{page_id}/childrenandPOST /v1/searchas specified in theSKILL.mdfile. - Boundary markers: There are no boundary markers or explicit instructions provided to the agent to ignore or delimit instructions embedded within the retrieved Notion content.
- Capability inventory: The skill utilizes shell commands (
curl,cat,mkdir,echo) to perform file system operations and network requests to the Notion API. - Sanitization: No sanitization, escaping, or validation logic is defined for the data fetched from the external API before it is consumed by the agent.
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands using
curlto interact with the Notion API andcatto read local configuration files. - [DATA_EXFILTRATION]: The skill provides instructions to access a sensitive credential file located at
~/.config/notion/api_key. While the credentials are used to communicate with the official Notion API (a well-known service), the practice of reading sensitive files from the local filesystem is a security-sensitive operation.
Audit Metadata