hello, are there any security concerns we should be aware of with respect to sdk client keys? what could a bad actor potentially do with this key if they extract it from my mobile app's source code?

mostly no- client keys are not a privileged key, have no write abilities. If your features/experiments have rules with private data in them, then you might not want it to leak (ie, if you're targeting to specific users ids, or email lists). When using GrowthBook server side, its usually not an issue. If you are using GrowthBook client side, you can hash or otherwise obscure the targeting info, as the info in the payload is visible in the HTML

excellent, thank you