notion-knowledge-capture
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is designed to ingest untrusted data from active conversations to generate documentation. It lacks boundary markers or sanitization logic, creating a significant risk of indirect prompt injection.
- Ingestion Points: Conversation context and chat discussions are extracted in 'Step 1: Identify content to capture' in
SKILL.md. - Boundary Markers: Absent. The skill instructions do not define delimiters or provide 'ignore embedded instructions' warnings for the agent.
- Capability Inventory: The skill uses
Notion:notion-search,Notion:notion-create-pages, andNotion:notion-update-pageto modify the workspace. - Sanitization: Absent. There is no requirement to filter or escape the content extracted from the chat before passing it to the Notion API tools.
- COMMAND_EXECUTION (MEDIUM): While it does not execute shell commands, the skill executes API-driven actions (
notion-update-page) that can modify existing documentation based on untrusted input. An attacker could inject instructions into the 'knowledge' being captured to manipulate thenew_strorcommandparameters, leading to unauthorized modification of the Notion workspace.
Recommendations
- AI detected serious security threats
Audit Metadata