notion-spec-to-implementation
Pass
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill integrates with the official Notion platform using its Model Context Protocol (MCP) server at
https://mcp.notion.com/mcp. This is a well-known and trusted service domain. - [SAFE]: No evidence of hardcoded credentials, unauthorized data exfiltration, or persistence mechanisms was found. The skill operates entirely within the user's authenticated Notion context.
- [SAFE]: The skill contains a Base64-encoded image string within the
assets/notion-small.svgfile. This is a standard method for embedding icons in SVG files and does not contain executable code or hidden malicious instructions. - [PROMPT_INJECTION]: The skill processes external, user-controlled data (Notion pages containing product specifications), which constitutes an indirect prompt injection surface. While no active exploit is present, the capability exists for external text to influence agent behavior.
- Ingestion points: Specification content is retrieved from the user's Notion workspace using the
Notion:notion-fetchtool as described inSKILL.mdandreference/spec-parsing.md. - Boundary markers: Absent. The instructions do not currently utilize clear delimiters or specific instructions to the agent to disregard potential commands found within the fetched specification text.
- Capability inventory: The agent possesses the capability to search, read, create, and update pages within the connected Notion workspace using tools like
Notion:notion-search,Notion:notion-fetch,Notion:notion-create-pages, andNotion:notion-update-page. - Sanitization: Absent. The workflow involves extracting text from specifications and interpolating it directly into new plan and task pages without sanitization or filtering.
Audit Metadata