notion
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install an external binary using
go install github.com/lox/notion-cli@latest. This downloads and compiles code from the author's public GitHub repository at runtime. - [COMMAND_EXECUTION]: The skill relies on executing the
notion-clicommand via the Bash tool to perform operations such as searching, viewing, creating, and editing Notion content. This includes commands that interact with the local file system, such asnotion-cli page upload ./document.md. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from an external source (Notion).
- Ingestion points: Untrusted data enters the agent context through
notion-cli page view,notion-cli search,notion-cli db query, andnotion-cli comment listinSKILL.md. - Boundary markers: There are no instructions or delimiters defined to help the agent distinguish between its system instructions and the content retrieved from Notion.
- Capability inventory: The skill possesses the capability to modify or delete data (archive, edit, create) within the Notion workspace using
notion-cli. - Sanitization: No sanitization or filtering is applied to the content fetched from Notion before it is processed by the agent.
Audit Metadata