launchdarkly-flag-cleanup
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the @launchdarkly/mcp-server package as specified in marketplace.json. Because the author organization is not in the predefined trusted sources list, this is flagged as an unverifiable external dependency.
- PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data by scanning the local codebase (SKILL.md Step 1). Evidence: 1. Ingestion points: codebase file contents; 2. Boundary markers: absent; 3. Capability inventory: file read, file write, and network access via MCP; 4. Sanitization: none.
- COMMAND_EXECUTION (LOW): The verification workflow in SKILL.md (Step 6) directs the agent to execute build and lint commands, which runs locally defined and potentially untrusted scripts within the target project.
Audit Metadata