Abusing Notion’s AI Agent for Data Theft

The post describes how Notion 3.0's AI agents are vulnerable to prompt-injection attacks because they meet a "lethal trifecta": access to private data, exposure to untrusted content, and the ability to externally communicate. An attacker can hide instructions (e.g., white text in a PDF) that tell the agent to extract confidential information (names, companies, ARR) and send it to an attacker-controlled backend by generating a URL and issuing a web search or request, enabling data theft; the author warns this is a fundamental, systemic problem for AI agents rather than an isolated bug.