notion
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill processes content retrieved from external Notion databases and pages which can serve as a vector for indirect prompt injection if those sources contain malicious instructions.
- Ingestion points: Page and block content retrieval via
api.notion.comendpoints. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the provided templates.
- Capability inventory: The skill has access to shell command execution (
curl,jq) and local file system writes in/tmp. - Sanitization: No explicit filtering or sanitization of retrieved block text is performed before it is handled by the agent context.
- [COMMAND_EXECUTION]: Executes system commands including
curl,jq,echo, andtrto perform API operations and format identifiers. This is required for the skill's functionality. - [DATA_EXFILTRATION]: Retrieves the
NOTION_TOKENfrom environment variables and transmits it to the official Notion API (api.notion.com) for authentication. This is standard behavior for an API integration and targets a well-known service domain. - [SAFE]: No obfuscation, unauthorized privilege escalation, or persistence mechanisms were detected. The skill correctly identifies its required secrets in the metadata and directs all network requests to established service providers.
Audit Metadata