notion
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes content from external Notion pages, blocks, and databases which can be controlled by third parties.
- Ingestion points: Notion page content, block children, and search results retrieved via endpoints like
GET /notion/v1/pages/{pageId},GET /notion/v1/blocks/{blockId}/children, andPOST /notion/v1/search. - Boundary markers: The skill does not define specific delimiters or instructions to help the agent distinguish between its system instructions and the content retrieved from Notion.
- Capability inventory: The skill has the ability to perform write operations (create/update pages, append blocks, delete blocks) and query databases within the Notion workspace.
- Sanitization: No sanitization or validation of the retrieved Notion content is described to prevent the execution of embedded instructions.
- [COMMAND_EXECUTION]: The documentation includes several examples of Python code executed via shell heredocs to demonstrate how to interact with the Maton API. These snippets use the
urllib.requestlibrary for network operations and environment variable access. - [DATA_EXFILTRATION]: The skill performs network operations to external domains
gateway.maton.ai,ctrl.maton.ai, andconnect.maton.aito proxy Notion API requests and manage OAuth connections. These are the intended service endpoints for the skill's functionality.
Audit Metadata