pp-notion
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to download and install the
notion-pp-clitool from the author's official GitHub repository (github.com/mvanhorn/printing-press-library) and via npm (@mvanhorn/printing-press). - [COMMAND_EXECUTION]: The skill uses shell commands to interact with the installed binary, allowing the agent to pass user-provided input as arguments to the CLI.
- [DATA_EXFILTRATION]: The CLI tool supports a
--deliver webhook:<url>flag, enabling the transmission of command outputs to external endpoints. It also contains a feedback mechanism capable of sending data to a remote endpoint if configured. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted content from Notion workspaces (pages, blocks, and comments) and has access to capabilities like file writing and network operations.
- Ingestion points: Data retrieved from Notion via search, query, and list commands in SKILL.md.
- Boundary markers: No explicit delimiters or instructions are used to separate untrusted data from the agent prompt.
- Capability inventory: Execution of shell commands via the Read Bash tool, atomic file writing via the
--deliver fileflag, and network POST requests via the--deliver webhookflag. - Sanitization: There is no evidence of input validation or sanitization for content processed from the Notion API.
Audit Metadata