The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted external content from the Notion API (pages, blocks, and search results) while possessing high-privilege write capabilities.
Ingestion points: Page reading (/v1/pages/{id}), block retrieval (/v1/blocks/{id}/children), and search operations (/v1/search) in SKILL.md.
Boundary markers: Absent. There are no delimiters or instructions to the agent to ignore or isolate instructions found within the Notion data.
Capability inventory: The skill has full permissions to create, update, and delete content via POST, PATCH, and DELETE requests.
Sanitization: Absent. Content retrieved from Notion is processed directly, allowing an attacker to place malicious instructions in a Notion page that the agent might execute.
Data Exfiltration (HIGH): The skill explicitly instructs the agent to read a sensitive local file (~/.config/notion/api_key) and transmit its contents to an external domain (api.notion.com).
Evidence: NOTION_KEY=$(cat ~/.config/notion/api_key) followed by curl -H "Authorization: Bearer $NOTION_KEY" https://api.notion.com/....
While this is the official Notion API, the domain is not whitelisted per the security policy, and the pattern of reading local secrets for external transmission is a high-risk data exposure vector.
Command Execution (LOW): The skill utilizes shell commands (curl, cat, echo) for data handling and API interaction. While functional, performing these via shell interpolation ($NOTION_KEY) increases the risk of command injection if variable contents are not strictly controlled.

better-notion