notion
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructions involve reading an API key from
~/.config/notion/api_keyto authenticate network requests to Notion's official API domain (api.notion.com). This behavior is consistent with the skill's primary purpose and uses standard secret management practices. - [COMMAND_EXECUTION]: The skill provides several
curlcommand examples to perform CRUD operations on Notion pages and data sources. These commands are standard for REST API interactions. - [PROMPT_INJECTION]: The skill processes content retrieved from Notion, which represents an indirect prompt injection surface.
- Ingestion points: Untrusted data enters the agent context via API calls that retrieve page blocks and data source queries (e.g.,
GET /v1/blocks/{page_id}/children). - Boundary markers: The instructions do not include specific delimiters or warnings to ignore instructions embedded within the retrieved Notion content.
- Capability inventory: The skill utilizes
curlfor network requests to Notion's API. No arbitrary command execution, file system writes, or other high-risk capabilities are present. - Sanitization: There is no mention of sanitizing or validating the content retrieved from the Notion API.
Audit Metadata