notion-docs-enhancer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted Markdown content and navigates to user-provided Notion URLs, creating a high-risk surface for indirect injection. Malicious instructions inside a Notion page or the provided text could hijack the agent's browser session to perform unauthorized actions. Evidence: Step 4 in SKILL.md directly interpolates Markdown into a template for the
browser_run_codetool. Boundary markers are absent, and there is no sanitization of the input. Capability inventory includes arbitrary JS execution, navigation, and file writing (screenshots). - Command Execution (MEDIUM): The skill relies on
mcp__plugin_playwright_playwright__browser_run_codeto execute arbitrary JavaScript within the browser. While intended for automation, this capability allows for sophisticated attacks if the input content is malicious. Evidence: Step 4 code block usespage.evaluateandbrowser_run_code. - Data Exfiltration (LOW): The skill automatically takes full-page screenshots of the Notion workspace and saves them locally. This creates a risk of exposing sensitive data contained within the Notion pages to the host filesystem. Evidence: Step 5 uses
mcp__plugin_playwright_playwright__browser_take_screenshotwithfullPage: true.
Recommendations
- AI detected serious security threats
Audit Metadata