launchpad-webembed

SUSPICIOUS. The skill’s overall purpose is coherent and data flows target official Pega services, so it does not look malicious. However, it includes a browser-side Client Credentials pattern that exposes clientSecret through NEXT_PUBLIC variables and passes it to a remotely loaded web component, creating disproportionate credential-forwarding risk; the remote script load is same-vendor but unpinned.