launchdarkly-flag-targeting
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [SAFE] (SAFE): Analysis of the skill's instructions and references found no evidence of malicious intent, data exfiltration, or unauthorized command execution.
- [Indirect Prompt Injection] (LOW): The skill exhibits a surface for indirect prompt injection as it ingests data from external sources that may be user-controlled.
- Ingestion points: Data retrieved from the LaunchDarkly API via the
get-flagtool (referenced in SKILL.md and safety-checklist.md). - Boundary markers: No explicit delimiters or boundary markers for external data are defined within the skill instructions.
- Capability inventory: Significant modification capabilities including
toggle-flag,update-rollout,update-targeting-rules, andcopy-flag-config(defined in SKILL.md). - Sanitization: No specific sanitization or validation of the ingested flag metadata (such as descriptions or comments) is described in the skill logic.
- Assessment: The risk is mitigated by the skill's strong focus on human-in-the-loop safety checklists, environment verification, and support for LaunchDarkly's native approval workflows.
Audit Metadata