notion
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill facilitates reading a Notion API key from a configuration file at
~/.config/notion/api_keyand sending it to an external service. While this is the intended functionality for an API tool and targets a well-known service (api.notion.com), it involves the handling of sensitive file paths and credential transmission. Evidence:NOTION_KEY=$(cat ~/.config/notion/api_key)and subsequentcurlcalls in SKILL.md. - [COMMAND_EXECUTION]: The skill utilizes shell commands via
curlto perform its operations. Evidence: Multiple examplecurlcommands in SKILL.md for searching, reading, and updating Notion pages. - [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface because it retrieves and processes content from an external source (Notion). Ingestion points: Content retrieval from pages via
GET /v1/blocks/{page_id}/childrenand search results. Boundary markers: Absent; there are no delimiters provided in the instructions to help the agent distinguish between data and potential instructions within the Notion content. Capability inventory: The skill can execute network requests and shell commands based on the data it retrieves. Sanitization: Absent; there is no mention of filtering or validating the content fetched from the API before the agent processes it.
Audit Metadata