Feature Flag Cleanup
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The main risk is provenance ambiguity rather than hidden code execution.
There is no executable install path to review, but publisher/provenance information is limited, so users should verify trust before installation.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install only if you trust the publisher, and review the full SKILL.md before granting access to repositories or service accounts.
If granted write access, the agent could create code changes or tickets that affect engineering workflows.
Drafting PRs and tickets is purpose-aligned for flag cleanup, but it can become mutation-capable if the agent is allowed to push branches or create remote tickets.
generates removal pull requests ordered by safety ... produces a ranked removal plan, owner-tagged tickets, removal PRs grouped by risk
Keep generated PRs/tickets in draft or local form until a human reviews them; require explicit approval before pushing branches, opening PRs, filing tickets, or changing flag-service state.
Overbroad tokens could expose or alter feature-flag configuration across environments.
Direct flag-service API access usually requires account credentials or tokens; this is expected for the skill but should be tightly scoped.
LaunchDarkly REST API `/api/v2/flags`, Unleash `/api/admin/features`, Flagsmith `/api/v1/features/`, GrowthBook `/api/v1/features`, Split `/internal/api/v2/splits`
Use read-only, least-privilege tokens or exports for auditing; avoid admin/delete scopes unless a human explicitly approves a specific cleanup action.
Sensitive code, ownership information, tickets, and production telemetry may be processed during an audit.
The skill intentionally brings private source code, operational telemetry, and ticket metadata into the agent context to find stale flags.
Codebase | Flag references in source, configs, tests | `git grep`, AST parse ... Telemetry | Datadog, Honeycomb ... Ticket system | Jira `flag:` label, Linear cycle search
Limit searches to relevant repos/environments, exclude secrets and unrelated directories, avoid long-term retention of scan results, and prefer sanitized exports when possible.