notion-operations
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [Indirect Prompt Injection] (HIGH): Critical vulnerability surface detected. 1. Ingestion points: The 'queryNotionDatabase' function reads external data from Notion into the agent context. 2. Boundary markers: No delimiters or ignore-instructions warnings are present. 3. Capability inventory: Functions 'createNotionPage' and 'updateNotionPage' enable writing and modifying database records. 4. Sanitization: No sanitization, escaping, or schema validation is performed on ingested data before it is used in subsequent operations.
- [Data Exposure & Exfiltration] (LOW): The skill performs network requests to 'api.notion.com'. While this is the official API endpoint, it is not within the trusted domain whitelist, posing a low risk of unauthorized data transmission.
- [Metadata Poisoning] (LOW): The skill documentation references absolute local file system paths ('/mnt/d/work/n8n_agent/...'), which exposes the author's internal directory structure and host environment details.
Recommendations
- AI detected serious security threats
Audit Metadata