Agentinelv0.1.0

MCP security scorecard — OWASP Agentic Top 10 (2026)
target notion  ·  1 server  ·  7 tools  ·  from published tool specs
1
Findings
HIGH
Max severity
0
Critical
1
High
0
Medium

Capability matrix · Rule of Two

Server / toolA untrustedB sensitiveC external
notion / create_a_comment · ·
create_a_page · ·
query_data_source · ·
retrieve_a_comment · ·
retrieve_page_markdown · · ·
search · · ·
update_page_markdown · ·

Findings

HIGH

Lethal Trifecta / Rule-of-Two violation

ASI02 server:notion

This server's combined toolset spans all three lethal-trifecta axes, so an agent using it can be steered to chain them into data exfiltration or unauthorized action. Contributors — A (untrusted-input): notion:retrieve_a_comment; B (sensitive-access): notion:query_data_source; C (external-comms): notion:create_a_page, notion:update_page_markdown, notion:create_a_comment.

axes present: A+B+C

✓ Break the trifecta: remove one axis, split capabilities across isolated agents, or require human approval for the state-changing / external-comms step.

ASI02 · Tool Misuse and Exploitation · confidence 75%