launchpad-ux-custom-components
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill is an official UI development toolkit authored by Pegasystems. All provided component templates, mock data, and architectural guidelines align with the Pega Constellation design system and its secure development practices.
- [EXTERNAL_DOWNLOADS]: The skill utilizes official Pegasystems Node.js packages, such as
@pega/cosmos-react-coreand@pega/custom-dx-components, which are standard, well-known resources for platform extension development. - [DATA_EXFILTRATION]: Documentation regarding the setup of the Digital Experience Component Builder (DXCB) correctly identifies sensitive configuration values like OAuth credentials (
clientId,clientSecret) and provides guidance on secure management without hardcoding values. - [PROMPT_INJECTION]: The skill defines a functional surface for potential indirect injection through the ingestion of platform-sourced data and external content via iframes. This is a legitimate feature of the UI toolkit.
- Ingestion points: Data enters the components via Pega Data Pages, DX APIs, and component properties defined in
config.jsonfiles. - Boundary markers: Components utilize standard React encapsulation; while explicit text-based boundary markers are not present in the templates, the skill relies on the platform's secure rendering environment.
- Capability inventory: The components have the ability to update case properties (
updateFieldValue), trigger field events, and perform context-aware navigation within the authenticated Pega session. - Sanitization: Data display is handled by official Cosmos React components which include platform-level safeguards for secure rendering.
Audit Metadata