onboardingV2
Pass
Audited by Gen Agent Trust Hub on Jun 3, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is a legitimate development tool provided by the vendor 'launchdarkly' for project onboarding.
- [COMMAND_EXECUTION]: The skill performs routine development tasks such as installing packages via npm/pip/etc., using npx to manage agent skills, and checking for open ports using lsof. These actions are necessary for its intended functionality.
- [EXTERNAL_DOWNLOADS]: Configuration and sub-skills are retrieved from official LaunchDarkly GitHub repositories. These operations use standard tooling and target trusted vendor infrastructure.
- [CREDENTIALS_UNSAFE]: While the skill manages sensitive LaunchDarkly SDK keys and API tokens, it implements robust safety protocols:
- It enforces the use of environment variables and .env files rather than hardcoding.
- It automatically verifies or updates .gitignore to prevent secrets from being committed.
- It utilizes mandatory blocking decision points (e.g., D7 in the apply skill and D4-LOCAL in mcp-configure) to ensure the user explicitly chooses how secrets are handled.
- It provides clear warnings to the user about the risks associated with AI agents handling sensitive tokens.
- [DATA_EXFILTRATION]: The skill includes a 'source' parameter in signup links for attribution purposes. This is a standard marketing practice and does not involve the exfiltration of sensitive user or system data.
Audit Metadata