Skills
skills/vm0-ai/vm0-skills/notion/Gen Agent Trust Hub

notion

Pass

Audited by Gen Agent Trust Hub on Apr 17, 2026

Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: Uses curl and jq to interact with the Notion API. It also writes temporary data to /tmp/notion_request.json to handle JSON payloads for POST and PATCH requests.- [DATA_EXFILTRATION]: Accesses Notion workspace data by making network requests to the well-known service api.notion.com. Authentication is handled via the $NOTION_TOKEN environment variable, following standard security practices for credential management.- [PROMPT_INJECTION]: Contains an indirect prompt injection surface as it retrieves content from untrusted external Notion pages and databases.
  • Ingestion points: The skill fetches page content, block children, and database entries using API calls in SKILL.md (e.g., Read Page with Content).
  • Boundary markers: No explicit delimiters or instructions are provided to the agent to treat fetched content as data rather than instructions.
  • Capability inventory: The skill has access to network operations via curl and local file writes to /tmp.
  • Sanitization: There is no evidence of sanitization or filtering applied to the data retrieved from Notion before it enters the agent context.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 17, 2026, 04:44 PM