notion

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill clearly fetches and ingests user-generated Notion page/database content (via notion-fetch) and searches connected third‑party sources (notion-search over Notion workspace and connected sources like Slack, Google Drive, GitHub, Jira, etc.), and the SKILL.md explicitly instructs the agent to "ALWAYS use the fetch tool first" and to rely on the fetched schema/tags (e.g., and templates) to decide subsequent actions, so untrusted third‑party content can materially influence tool behavior.