notion-spec-to-implementation

Pass

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: SAFE
Full Analysis
  • [SAFE]: The skill integrates with the official Notion platform using its Model Context Protocol (MCP) server at https://mcp.notion.com/mcp. This is a well-known and trusted service domain.
  • [SAFE]: No evidence of hardcoded credentials, unauthorized data exfiltration, or persistence mechanisms was found. The skill operates entirely within the user's authenticated Notion context.
  • [SAFE]: The skill contains a Base64-encoded image string within the assets/notion-small.svg file. This is a standard method for embedding icons in SVG files and does not contain executable code or hidden malicious instructions.
  • [PROMPT_INJECTION]: The skill processes external, user-controlled data (Notion pages containing product specifications), which constitutes an indirect prompt injection surface. While no active exploit is present, the capability exists for external text to influence agent behavior.
  • Ingestion points: Specification content is retrieved from the user's Notion workspace using the Notion:notion-fetch tool as described in SKILL.md and reference/spec-parsing.md.
  • Boundary markers: Absent. The instructions do not currently utilize clear delimiters or specific instructions to the agent to disregard potential commands found within the fetched specification text.
  • Capability inventory: The agent possesses the capability to search, read, create, and update pages within the connected Notion workspace using tools like Notion:notion-search, Notion:notion-fetch, Notion:notion-create-pages, and Notion:notion-update-page.
  • Sanitization: Absent. The workflow involves extracting text from specifications and interpolating it directly into new plan and task pages without sanitization or filtering.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 21, 2026, 05:14 PM
Security Audit — agent-trust-hub — notion-spec-to-implementation