notion-research-documentation
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- PROMPT_INJECTION (SAFE): No adversarial patterns such as 'ignore previous instructions', 'DAN' jailbreaks, or system prompt extraction attempts were found in the skill or its reference materials.
- DATA_EXFILTRATION (SAFE): The skill interacts with the user's Notion workspace as intended. No hardcoded credentials, unauthorized data exposure, or suspicious network requests to external domains were detected. The MCP URL provided is the official Notion endpoint.
- REMOTE_CODE_EXECUTION (SAFE): No patterns of remote script execution (e.g.,
curl | bash) or unverified external dependencies were found. The skill relies exclusively on the official Notion MCP server. - COMMAND_EXECUTION (SAFE): The shell commands mentioned in the workflow (e.g.,
codex mcp add) are standard administrative commands for configuring the agent's environment and do not constitute a security risk. - INDIRECT_PROMPT_INJECTION (LOW): The skill ingests untrusted data from the user's Notion workspace through
notion-fetch. While it lacks explicit instructions to sanitize the content of fetched pages to prevent the agent from following instructions embedded within them, this is a common architectural risk for research tools and is mitigated by the synthesis-heavy workflow. - Ingestion points: Notion workspace pages fetched via
Notion:notion-fetch. - Boundary markers: Templates in the
reference/directory provide structure, but no explicit 'ignore instructions' delimiters are used during interpolation. - Capability inventory:
notion-create-pages,notion-update-pageacross all workflow scripts. - Sanitization: None detected.
Audit Metadata