notion-cli
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill includes 'Self-Evolving' instructions in
SKILL.mdthat command the agent to 'Fix this file immediately if instructions drift'. This directive for the agent to modify its own core instructions based on runtime experience is a pattern that can be exploited to persistently alter the agent's behavior. - [EXTERNAL_DOWNLOADS]: The skill documentation recommends installing a third-party Go binary (
notion) from an unverified repository (4ier/notion-cli) using Homebrew. Running binaries from unvetted sources introduces supply chain risk. - [DATA_EXFILTRATION]: The instructions identify sensitive local file paths like
~/.config/notion/credentials.jsonand provide commands to fetch tokens from the Doppler secret manager. This highlights high-value targets for potential credential access. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it processes data from external Notion databases and pages.
- Ingestion points: Content retrieved via
notion search,notion page view, andnotion db queryinSKILL.md. - Boundary markers: Absent. No instructions are provided to treat Notion content as untrusted data or to ignore embedded commands.
- Capability inventory: The agent has access to the
Bashtool, which allows for arbitrary command execution. - Sanitization: Absent. There is no evidence of sanitization or validation of the content retrieved from the Notion API.
Audit Metadata