skills/pegasystems/pega-launchpad-agent-skills/launchpad-webembed/Snyk

launchpad-webembed

Fail

Audited by Snyk on Apr 7, 2026

Risk Level: HIGH

Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

Insecure credential handling detected (high risk: 1.00). The prompt's examples place a clientSecret into client-side code and a NEXT_PUBLIC .env variable and inject it directly into the tag, which requires including secret values verbatim in generated HTML/JS and thus poses a high exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.80). The skill dynamically injects and loads the external script https://lp.constellation.pega.com/integrated/react/prod/pega-embed.js at runtime, which executes remote code in the host page and is required for the embed to function.

Issues (2)

W007

HIGH

Insecure credential handling detected in skill instructions.

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

HIGH

Analyzed

Apr 7, 2026, 01:00 PM

Issues

2