Skills
skills/pegasystems/pega-launchpad-agent-skills/launchpad-webembed/Gen Agent Trust Hub

launchpad-webembed

Pass

Audited by Gen Agent Trust Hub on Apr 7, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill fetches the pega-embed.js library from https://lp.constellation.pega.com/integrated/react/prod/pega-embed.js. This is a legitimate vendor resource provided by Pega for the purpose of application embedding.\n- [COMMAND_EXECUTION]: The provided JavaScript examples use innerHTML to dynamically inject the <pega-embed> component into the DOM using interpolated variables (theme, startingFields). This creates a potential injection surface (Indirect Prompt Injection). Evidence: (1) Ingestion points: embedParams object in SKILL.md. (2) Boundary markers: Absent. (3) Capability inventory: DOM modification and external script execution. (4) Sanitization: Absent in example code.\n- [SAFE]: The documentation identifies security risks such as exposing client secrets in browser code and provides instructions for using PKCE and strict CORS origins to mitigate these risks.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 7, 2026, 01:00 PM