Security risk report for @forgecat/openai_skills_notion-research-documentation v0.0.10
Source Integrity
Low
Profile sourced from OpenAI's official skills repository (github.com/openai/skills) with clear attribution and Apache-2.0 license.
Commit hash and timestamp provided for traceability; no suspicious or obfuscated origin.
Agent Intent
Low
Content describes legitimate research workflows (search, fetch, synthesize, document) with no instructions to manipulate the AI, exfiltrate data, or bypass security controls.
Examples and templates demonstrate proper citation practices and transparent use of Notion sources; no hidden instructions or guidance poisoning detected.
Markdown content is educational and procedural—it teaches the agent how to conduct research and format output, not how to deceive or harm.
Details
Evidence
README and SKILL.md outline standard research steps: search → fetch → synthesize → create documentation.
Examples (competitor-analysis.md, market-research.md, technical-investigation.md, trip-planning.md) show complete workflows with proper source attribution using mention-page tags.
Reference guides (citations.md, format-selection-guide.md) emphasize transparency and citation best practices.
Permissions
Low
Skill declares only Notion-related tools (notion-search, notion-fetch, notion-create-pages, notion-update-page) aligned with its stated purpose of researching and documenting Notion content.
No shell, file_write, file_delete, or other high-risk tool categories requested.
Authority is scoped to Notion workspace operations; no excessive or unrelated permissions.
Details
Evidence
SKILL.md references only Notion MCP tools: 'Notion:notion-search', 'Notion:notion-fetch', 'Notion:notion-create-pages', 'Notion:notion-update-page'.
No tool definitions or hooks with alwaysApply=true or broad globs detected.
Workflow steps (0–5) describe only Notion interactions and document creation.
MCP Risk
MCP-000Medium
The MCP server points to https://mcp.notion.com/mcp, which is Notion's official hosted MCP endpoint — a known, legitimate service rather than an unknown or attacker-controlled binary.
No hidden instructions are embedded in tool descriptions, and no unrestricted filesystem or arbitrary binary execution is configured; access is scoped to the Notion API.
External host access is required (mcp.notion.com) and OAuth credentials are obtained at runtime via 'codex mcp login notion', introducing a dependency on an external authentication flow that warrants standard caution.