notion-spec-to-implementation
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from external specification documents to drive automated task creation.
- Ingestion points: Data enters the agent's context through the
Notion:notion-fetchtool, which retrieves the full content of specification pages found during theNotion:notion-searchphase, as documented inSKILL.mdandreference/spec-parsing.md. - Boundary markers: There are no explicit delimiters or specific instructions to the agent to treat the fetched content as data only; the workflow assumes the content consists of valid requirements, which could allow an attacker to embed malicious instructions within a Notion page.
- Capability inventory: The skill has broad write access to the user's Notion environment, including the ability to create new pages (
Notion:notion-create-pages) and modify existing ones (Notion:notion-update-page). - Sanitization: The skill lacks any filtering, escaping, or validation mechanisms for the content retrieved from Notion before it is used to generate implementation plans and individual tasks.
Audit Metadata