Skills
skills/launchdarkly/agent-skills/aiconfig-create/Gen Agent Trust Hub

aiconfig-create

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION] (MEDIUM): The skill instructs the agent to search for API credentials in sensitive local configuration paths and environment variables.\n
  • Evidence: SKILL.md explicitly directs the agent to check ~/.claude/config.json and environment variables such as LAUNCHDARKLY_API_KEY. While this is intended for authenticating the skill's own operations, it involves accessing paths that typically contain sensitive session tokens and secrets.\n- [PROMPT_INJECTION] (LOW): The skill exhibits surface area for indirect prompt injection through user-controlled data interpolation.\n
  • Ingestion points: references/api-quickstart.md uses the {{user_prompt}} placeholder for completion mode configuration.\n
  • Boundary markers: Absent. No delimiters or instructions are provided to the agent to treat this data as untrusted.\n
  • Capability inventory: The skill possesses network capabilities via curl to send data to external API endpoints.\n
  • Sanitization: No sanitization or validation of the interpolated user input is performed before it is sent to the API.\n- [COMMAND_EXECUTION] (SAFE): The skill utilizes curl to interact with the service's official API.\n
  • Evidence: Both SKILL.md and references/api-quickstart.md provide bash examples using curl to communicate with app.launchdarkly.com for legitimate configuration management.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:17 PM