mmk-paymint-notion-invoice
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from an external source (Notion) and uses it to construct instructions or commands for the agent.
- Ingestion points: Customer names, product descriptions, and messages are queried from a Notion database in Step 2 of SKILL.md.
- Boundary markers: None. The skill does not instruct the agent to treat the database content as data only or to ignore instructions within it.
- Capability inventory: The skill executes shell commands via the mmk CLI for sending invoices and updating the Notion database in Steps 5 and 7.
- Sanitization: While phone numbers are normalized, free-text fields like message and product are not sanitized before being interpolated into CLI commands.
- [COMMAND_EXECUTION]: The skill makes extensive use of the mmk CLI tool to interact with Notion and Paymint. The fallback mechanism for single-send operations involves direct interpolation of text variables into shell command arguments, which is a common security surface when handling external input.
Audit Metadata