Feature Flag Cleanup
PassAudited by VirusTotal on May 3, 2026.
Overview
Type: OpenClaw Skill Name: feature-flag-cleanup Version: 1.0.0 The skill bundle provides a comprehensive and professional framework for an AI agent to audit and clean up stale feature flags across multiple platforms like LaunchDarkly, Unleash, and Flagsmith. The instructions in SKILL.md detail a multi-step process involving inventorying flags via APIs, analyzing codebases using git tools, and generating removal pull requests based on risk levels. The logic is well-structured, aligns with standard DevOps practices for reducing technical debt, and contains no evidence of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The main risk is provenance ambiguity rather than hidden code execution.
There is no executable install path to review, but publisher/provenance information is limited, so users should verify trust before installation.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install only if you trust the publisher, and review the full SKILL.md before granting access to repositories or service accounts.
If granted write access, the agent could create code changes or tickets that affect engineering workflows.
Drafting PRs and tickets is purpose-aligned for flag cleanup, but it can become mutation-capable if the agent is allowed to push branches or create remote tickets.
generates removal pull requests ordered by safety ... produces a ranked removal plan, owner-tagged tickets, removal PRs grouped by risk
Keep generated PRs/tickets in draft or local form until a human reviews them; require explicit approval before pushing branches, opening PRs, filing tickets, or changing flag-service state.
Overbroad tokens could expose or alter feature-flag configuration across environments.
Direct flag-service API access usually requires account credentials or tokens; this is expected for the skill but should be tightly scoped.
LaunchDarkly REST API `/api/v2/flags`, Unleash `/api/admin/features`, Flagsmith `/api/v1/features/`, GrowthBook `/api/v1/features`, Split `/internal/api/v2/splits`
Use read-only, least-privilege tokens or exports for auditing; avoid admin/delete scopes unless a human explicitly approves a specific cleanup action.
Sensitive code, ownership information, tickets, and production telemetry may be processed during an audit.
The skill intentionally brings private source code, operational telemetry, and ticket metadata into the agent context to find stale flags.
Codebase | Flag references in source, configs, tests | `git grep`, AST parse ... Telemetry | Datadog, Honeycomb ... Ticket system | Jira `flag:` label, Linear cycle search
Limit searches to relevant repos/environments, exclude secrets and unrelated directories, avoid long-term retention of scan results, and prefer sanitized exports when possible.