The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. Ingestion points: Untrusted data enters the context through git history commands (git log, git diff in SKILL.md) and existing Notion page content retrieved via notion-fetch (SKILL.md). Boundary markers: The skill lacks any delimiters or specific instructions to ignore embedded commands within the fetched data. Capability inventory: The skill has the ability to modify or create Notion pages (notion-update-page, notion-create-pages) and execute shell commands (Bash). Sanitization: No input validation, escaping, or filtering of the external data is performed before it is used to draft updates.
[DATA_EXFILTRATION]: The skill's guidelines in references/notion-guidelines.md explicitly state that Notion is used to store sensitive information such as 'credential locations, URLs, contacts'. While the skill does not exhibit intentional data exfiltration to external domains, reading this sensitive information into the LLM context alongside untrusted inputs (like commit messages) creates a significant risk of unauthorized exposure or manipulation of credentials.

up-notion