notion

Pass

Audited by Gen Agent Trust Hub on May 22, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute curl commands to perform CRUD operations (Create, Read, Update, Delete) on Notion workspace objects like pages and databases.
  • [DATA_EXFILTRATION]: The skill facilitates data transfer between the local environment and api.notion.com. As Notion is a well-known productivity service and the primary target of this skill, this behavior is expected and legitimate.
  • [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection (Category 8) as it retrieves content from Notion pages and blocks. Maliciously crafted content within a Notion workspace could potentially attempt to influence the agent's behavior during processing.
  • Ingestion points: Reads page content, database queries, and block children from api.notion.com (SKILL.md).
  • Boundary markers: None identified; external content is processed directly.
  • Capability inventory: Network operations via curl (SKILL.md).
  • Sanitization: No specific sanitization or filtering of API responses is implemented before the content is presented to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
May 22, 2026, 05:45 AM
Security Audit — agent-trust-hub — notion