The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill implements a research workflow (search -> fetch -> synthesize -> write) that is susceptible to malicious instructions embedded in the documents it processes.
Ingestion points: Untrusted data enters the context via the Notion:notion-fetch tool as described in SKILL.md and examples/technical-investigation.md.
Boundary markers: Absent. The instructions do not provide delimiters or "ignore embedded instructions" warnings to the agent when processing fetched page content.
Capability inventory: The skill uses Notion:notion-create-pages to write documentation. This capability allows the agent to take actions with side effects (writing to the workspace) based on the input it synthesizes.
Sanitization: Absent. There is no logic provided to sanitize, validate, or filter content retrieved from the workspace before it is interpolated into the synthesis prompt or output results.
Expanded Attack Surface (MEDIUM): Per reference/advanced-search.md, the research scope includes connected integrations like Slack, Google Drive, GitHub, and Jira. This significantly broadens the vulnerability, as an attacker with no access to the Notion workspace could still influence the agent's output by placing malicious content in a linked GitHub issue or Slack channel that the agent is instructed to research.

research-management