High-risk tools in Pinchtab
11 of the 19 tools in Pinchtab are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
pinchtab_clickExecuteClick an element by its ref ID (e.g.
-
pinchtab_evalExecuteExecute JavaScript code in the page context. Returns the result of the expression.
-
pinchtab_focusExecuteFocus an element by its ref ID. Useful for triggering focus-dependent UI (e.g. autocomplete dropdowns) without clicking.
-
pinchtab_hoverExecuteHover over an element by its ref ID. Triggers mouseover/mouseenter events — useful for revealing tooltips, dropdown menus, or hover states.
-
pinchtab_navigateExecuteNavigate the browser to a URL. Set waitMs to wait for page load and get a snapshot back automatically.
-
pinchtab_pressExecutePress a keyboard key (e.g.
-
pinchtab_scrollExecuteScroll the page or a specific element. Supports all four directions.
-
pinchtab_selectExecuteSelect an option in a <select> dropdown by its ref ID. Pass the option value or visible text.
-
pinchtab_typeExecuteType text into an input field by its ref ID. Uses human-like typing by default. Set clearFirst=true to click, select all, then type — required for React/Vue/Angular inputs where...
-
pinchtab_waitExecuteWait for a specified number of seconds. Useful after navigation or dynamic content loading.
-
pinchtab_wait_for_selectorExecuteWait for a CSS selector to appear on the page. Polls every 500ms up to the timeout. Useful for waiting on dynamic content, modals, or lazy-loaded elements.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.