project-session-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill fetches PR/issue content from third-party providers (e.g., provider_github_fetch_pr via the gh CLI and other provider_* fetch functions) and writes PR/issue bodies into rendered context files (.psm/review.md, .psm/fix.md) which are then explicitly injected into Claude via psm_launch_claude/psm_inject_prompt, so untrusted, user-generated web content is read and can directly influence the agent's actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill fetches PR/issue content at runtime from GitHub (e.g., https://github.com/owner/repo/pull/123 via the gh CLI/API) and renders the PR/issue body into .psm/review.md or initial prompts that are injected into Claude, so remote content directly controls the agent's prompts.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill performs many filesystem and process-modifying actions in the user's home (cloning repos, creating worktrees/sessions, writing ~/.psm files) and explicitly instructs launching Claude with a "--dangerously-skip-permissions" flag that bypasses directory-trust/tool-approval prompts (a security bypass), though it does not request sudo, modify system files, or create system users.