Post Merge Rename
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill in the wrong repository, or before reviewing the branch list, could change shared remote branch names and disrupt teammates, CI jobs, or branch-based workflows.
The default scan path can rename all merged local branches, push new branch names to origin, and delete the old remote branch names without an explicit confirmation step.
merged=$(git branch --merged main ...) ... git branch -m "$trimmed" "$new_name" 2>/dev/null || true git push origin "$new_name" 2>/dev/null || true git push origin --delete "$trimmed" 2>/dev/null || true
Make dry-run the default, require explicit user confirmation before pushing or deleting remote refs, and prefer an explicit branch argument for remote mutations.
A user may underestimate the impact because the wording suggests no deletion occurs, even though the old remote branch name is removed from origin.
The script contains a reassuring 'Never deletes branches' claim while also deleting the old remote branch ref as part of the remote rename process.
# Never deletes branches. Only renames. ... git push origin --delete "$trimmed" 2>/dev/null || true
Clarify that remote renaming is implemented by pushing the new ref and deleting the old remote ref, and state the collaboration impact plainly.
The skill can perform whatever branch push/delete actions the current Git credentials are allowed to perform.
These commands use the user's configured Git remote access to mutate branches on origin.
git push origin "$new_name" 2>/dev/null || true ... git push origin --delete "$trimmed" 2>/dev/null || true
Run it only in repositories where you intend to allow branch ref changes, and use Git branch protections or least-privilege credentials where possible.