notion
Pass
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and processing untrusted data from Notion.
- Ingestion points: Data enters the agent's context through page retrieval and database query endpoints specified in SKILL.md.
- Boundary markers: The instructions do not define delimiters or explicit warnings to treat retrieved Notion data as untrusted.
- Capability inventory: The skill allows the agent to perform various Notion operations using curl commands, including read, write, and search.
- Sanitization: No explicit sanitization or validation of the retrieved content is mentioned before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill uses shell commands for environment configuration and API interaction.
- Evidence: Shell commands mkdir, echo, and cat are used to initialize and read the API key from the ~/.config/notion/ directory.
- Evidence: The tool uses curl to execute HTTP requests to the official Notion API domain api.notion.com.
Audit Metadata