ntion-cli
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill directs the agent to use
npx ntionto perform its tasks.npxdownloads and executes a package from the npm registry at runtime. As thentionpackage is not from a trusted organization or repository defined in the security guidelines, this represents an unverifiable dependency. - COMMAND_EXECUTION (LOW): The skill relies on shell command execution to perform all Notion operations. While central to its purpose, this capability provides the agent with extensive access to modify and delete workspace content.
- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it ingests untrusted data from external Notion pages.
- Ingestion points: Data is brought into the agent's context through
ntion blocks getandntion pages get(observed inSKILL.md). - Boundary markers: Absent. There are no instructions or delimiters provided to help the agent distinguish between its system instructions and content fetched from Notion.
- Capability inventory: The skill allows for significant workspace actions including
ntion pages create,ntion pages update,ntion blocks append, andntion blocks delete. - Sanitization: Absent. Content is retrieved and processed as raw markdown or JSON without verification or escaping.
Audit Metadata