notion
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation instructs the user to install the notion-cli tool from the author's GitHub repository (github.com/lox/notion-cli). This is a legitimate vendor resource provided for the skill's operation.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute various notion-cli commands, enabling the agent to search, list, view, and sync Notion content.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes content retrieved from external Notion workspaces.
- Ingestion points: Untrusted content enters the agent's context through notion-cli page view, notion-cli search, and notion-cli db query as seen in SKILL.md.
- Boundary markers: There are no explicit markers or instructions to isolate retrieved content from the agent's internal control flow.
- Capability inventory: The agent has permissions to create and edit pages, upload files, and manage databases via the notion-cli tool.
- Sanitization: There is no evidence of sanitization or filtering of the content returned from the Notion API before it is processed by the AI.
Audit Metadata