project-session-manager

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly fetches PRs/issues from public providers (e.g., provider_github_fetch_pr in lib/providers/github.sh invoked by psm.sh's cmd_review/cmd_fix which runs "gh pr view" / "gh issue view") and then injects the fetched PR/issue title/body into session metadata and review/fix templates that are launched into Claude Code and used to drive actions (worktree/branch creation, tmux/claude launch, cleanup), so untrusted, user-generated content from third-party sites can materially influence agent behavior.