notion-meeting-intelligence
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill presents a significant Category 8 attack surface as it combines broad data ingestion with the ability to modify the user's environment. \n
- Ingestion points: Content is retrieved from the user's Notion workspace via
Notion:notion-search,Notion:notion-fetch, andNotion:notion-query-data-sourcesas seen inSKILL.mdandevaluations/status-meeting-prep.json. \n - Boundary markers: Absent. The instructions lack any delimiters or directives for the agent to distinguish between its system prompt and potential instructions embedded in fetched Notion pages. \n
- Capability inventory: The skill has the power to create and update Notion pages via
Notion:notion-create-pagesandNotion:notion-update-page. This allows an injected prompt to perform unauthorized actions or exfiltrate data to other parts of the workspace. \n - Sanitization: Absent. There is no evidence of content validation or filtering of external data before it is processed. \n- Unverifiable Dependencies & Remote Code Execution (MEDIUM): The skill configuration in
agents/openai.yamland the setup instructions inSKILL.mdrequire the execution of an external MCP server fromhttps://mcp.notion.com/mcp, which is not a pre-approved trusted source according to current safety guidelines. \n- Data Exposure & Exfiltration (HIGH): The skill is designed to search for and retrieve high-sensitivity data (Category 2), such as CRM notes, pricing proposals, and project specs (documented inexamples/customer-meeting.mdandexamples/executive-review.md). This access, when combined with the lack of indirect prompt injection protections, significantly increases the risk of sensitive data exposure.
Recommendations
- AI detected serious security threats
Audit Metadata