ClawHub

Skylv Feature Flag Manager

PassAudited by VirusTotal on May 2, 2026.

Overview

Type: OpenClaw Skill Name: skylv-feature-flag-manager Version: 1.0.0 The skill is a straightforward local feature flag manager that allows an AI agent to create, toggle, and list feature flags stored in a local JSON file (`.featureflags/config.json`). The logic in `flag.js` is limited to basic file I/O and command-line argument parsing without any network activity, shell execution, or sensitive data access.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern
ASI02: Tool Misuse and Exploitation
What this means

Running a documented command such as 'toggle broken-feature --off' could enable a disabled feature instead of safely turning it off.

Why it was flagged

The toggle command blindly flips the current flag state and does not parse the documented --off or --on arguments. SKILL.md presents this as an emergency kill-switch workflow.

Skill content
else if (cmd === 'toggle') { ... config.flags[name].enabled = !config.flags[name].enabled; ... }
Recommendation

Do not rely on this as a production or agent kill switch until --on/--off are implemented as explicit idempotent state-setting operations with clear output.

Concern
ASI09: Human-Agent Trust Exploitation
What this means

A user or agent may believe gradual rollout, A/B testing, or user targeting is being enforced when it is not.

Why it was flagged

The documentation advertises rollout and variant commands, but the provided flag.js implements only create, enabled, toggle, and list; its enabled command returns only the stored boolean and does not apply percentage or user targeting.

Skill content
`update <name> --percentage N` | Set rollout percentage (0-100) ... `variant <name>` | Get A/B variant for user
Recommendation

Implement the advertised commands and percentage/user targeting logic, or remove those claims and examples so users do not over-trust unsupported safety controls.

Note
ASI06: Memory and Context Poisoning
What this means

Changes to this local file can persistently alter which features an app or agent believes are enabled.

Why it was flagged

Feature flag decisions are stored persistently in a project-local JSON file that future runs will trust.

Skill content
const CONFIG_DIR = '.featureflags'; const CONFIG_FILE = path.join(CONFIG_DIR, 'config.json'); ... fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
Recommendation

Review and protect .featureflags/config.json, especially if the flags affect production behavior or agent safety controls.