Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Finishing A Development Branch
v0.1.0Use when implementation is complete, all tests pass, and you need to decide how to integrate the work - guides completion of development work by presenting s...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name and description align with the instructions (verifying tests, choosing merge/PR/discard, cleaning worktrees). However the registry metadata declares no required binaries or env vars while the instructions clearly rely on git, git-worktree, a git remote (origin), the GitHub CLI (gh) for PR creation, and language test runners (npm/cargo/pytest/go). This is an omission/incoherence: those tools and network/auth access are realistically required to perform the tasks.
Instruction Scope
The SKILL.md stays on-task: verify tests, determine base branch, present four fixed options, and execute the chosen workflow. It explicitly requires confirmation before destructive actions (typed 'discard') and mandates test verification. Instructions do perform high-impact repo operations (merge, push, delete branch, remove worktree), which is appropriate for the skill’s purpose but must be treated as destructive by the user.
Install Mechanism
Instruction-only skill with no install steps and no code files — low installation risk. Nothing is downloaded or written by an install process according to the registry metadata.
Credentials
No environment variables or credentials are declared, yet the instructions assume authenticated access to a remote (git push, gh pr create). The GitHub CLI (gh) typically requires an authenticated session or GITHUB_TOKEN; pushing requires git remote credentials. The skill also references various language-specific test commands without declaring or checking for those runtimes. The lack of declared binaries/credentials is disproportionate to the actual requirements.
Persistence & Privilege
The skill is not force-included (always:false) and does not request persistent system-level privileges. It modifies the user's repository state (merges, deletes branches, removes worktrees) which is appropriate for its purpose but inherently destructive; this is a runtime privilege rather than a platform privilege and should be guarded by user confirmation and backups.
What to consider before installing
This skill appears to do what it says (finish a development branch) but has some important omissions and destructive actions to be aware of:
- Missing declared requirements: The SKILL.md assumes git, git-worktree, the GitHub CLI (gh), and language test runners are available and that you have network/auth access to the repo, yet the skill declares no required binaries or credentials. Verify those tools are installed and authenticated before running.
- Destructive operations: The skill can delete branches and remove worktrees. Ensure you have backups or that you run it on a non-critical clone first. Confirm the 'discard' confirmation behavior actually prevents accidental deletion in your environment.
- Authentication: For 'gh pr create' and 'git push' to work the agent or environment must be authenticated (gh auth or GIT credentials). Decide whether you are comfortable giving the agent those capabilities; consider doing PR creation and pushes manually if you prefer.
- Dry-run / review: If possible, run the steps in a dry-run mode or have the agent print the exact git commands it will run and require explicit user approval before executing them.
If you intend to use this skill, require that the agent run only in an environment you control (local clone or CI job with disposable credentials), ensure gh/git are authenticated as expected, and prefer manual confirmation for any push/branch-delete operations.Like a lobster shell, security has layers — review code before you run it.
latestvk976tj3c0pf6aftqsxz8drn1jn83c608
License
MIT-0
Free to use, modify, and redistribute. No attribution required.