The problem is that this was a vulnerability in Notion without any mitigations or safeguards against it.

I’m just curious — does the Notion AI agent send the PDF directly to Claude, or does it extract the content of the PDF and then send only the content to Claude? If it’s just the content, then Claude would have no way of knowing it’s an attack, right?

Not really a new vulnerability, and yet Notion just shipped it this week. All caution thrown to the wind in the name of an announce-able AI feature