pw-pair-programming

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill autonomously scrapes and reads ChatGPT conversation content and links from the Navigator DOM (e.g., document.querySelector('[data-message-author-role="assistant"]') in pp get-response and pp download) and then uses those assistant messages and sandbox download links to drive actions (sending follow-ups, downloads), so untrusted/third‑party conversation content can materially influence tool behavior.