ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Finishing Branch

v0.1.0

Complete development work by presenting structured options for merge, PR, or cleanup. Use when implementation is complete, all tests pass, and you need to decide how to integrate work. Triggers on finish branch, complete branch, merge branch, create PR, done with feature, implementation complete.

0· 823·1 current·3 all-time
by@wpank
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description and included scripts (finish_branch.py, cleanup_branches.py) are coherent: they implement finishing/cleaning branches. However the skill declares no required binaries or env vars while the code and SKILL.md assume git is available and optionally rely on 'gh' (GitHub CLI), language-specific test runners (npm, cargo, pytest, go test, make, tox), and network access for pushing/deleting remote branches. The omission of these runtime dependencies is an inconsistency that could surprise users.
Instruction Scope
SKILL.md instructions and the Python scripts stay within the stated purpose: verifying tests, determining base branch, presenting options, merging/pushing/creating PRs, and cleaning up worktrees/branches. The skill performs destructive git operations (local branch deletion, remote delete via 'git push origin --delete', worktree removal) — this is expected for the stated task but worth noting because these actions can permanently delete commits/branches if misused. The SKILL.md requires typed confirmation for 'discard' and the scripts support dry-run modes.
Install Mechanism
No install spec is provided (instruction-only is lower-risk). README suggests an 'npx add' command with a GitHub tree URL (https://github.com/.../tree/...) which is not a standard package install URL and looks inaccurate/confusing. Installation instructions are purely copy-based. No archives or external installers are pulled by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is appropriate for local git-based workflows. There is no indication of hidden credential access or external endpoint exfiltration in the code or SKILL.md.
Persistence & Privilege
Skill does not request 'always: true' and does not modify other skills or system-wide configuration. It executes transient git operations and prints cleanup commands; persistent privileges are not requested.
What to consider before installing
What to check before installing or running this skill: - Expect to run this only in repos you trust and can afford to change: the scripts perform branch deletion and remote deletion (git push origin --delete). Always run with --dry-run first. - Ensure required binaries are present: git is mandatory; GitHub PR creation uses 'gh' (GitHub CLI) if you want the automated PR flow; test runners (npm, cargo, pytest, go, make, tox) are used if detected. The skill metadata does not list these, so verify your environment. - The README's 'npx add <github tree url>' looks incorrect — don't run untrusted install commands from there. Prefer copying files locally or reviewing code first. - Review the scripts (finish_branch.py, cleanup_branches.py) manually to confirm behavior, and run them in a safe branch or clone before using on important work. - Confirm you have the git remote permissions you expect (deleting remote branches requires push/delete rights). - If you want extra safety, require interactive confirmations or back up references (tags or temp branches) before allowing automatic cleanup. Confidence notes: I assessed source files and SKILL.md; there are no scan-findings flagged by the pre-scan, but the omission of declared runtime binaries and the odd README install example are the primary reasons for a 'suspicious' verdict. Additional context (author identity, signed releases, or an authoritative install path) would raise confidence toward benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk979nssv1vadnt2hk1e32arwth80wdsd
823downloads
0stars
1versions
Updated 14h ago
v0.1.0
MIT-0
@wpank
latest
Download

Finishing a Development Branch

Complete development work by presenting clear options and executing the chosen workflow.

WHAT This Skill Does

After implementation is complete, guides you through verifying tests, presenting integration options, and executing the chosen path (merge, PR, keep, or discard).

WHEN To Use

  • Implementation is complete
  • All tests pass
  • Ready to integrate work into the main branch

KEYWORDS: finish branch, complete branch, merge, PR, done with feature

The Process

Step 1: Verify Tests

npm test / cargo test / pytest / go test ./...

If tests fail: Stop. Cannot proceed until tests pass.

Tests failing (N failures). Must fix before completing:
[Show failures]

If tests pass: Continue to Step 2.

Step 2: Determine Base Branch

git merge-base HEAD main 2>/dev/null || git merge-base HEAD master 2>/dev/null

Or confirm: "This branch split from main - is that correct?"

Step 3: Present Options

Present exactly these 4 options:

Implementation complete. What would you like to do?

1. Merge back to <base-branch> locally
2. Push and create a Pull Request
3. Keep the branch as-is (I'll handle it later)
4. Discard this work

Which option?

Step 4: Execute Choice

Option 1: Merge Locally

git checkout <base-branch>
git pull
git merge <feature-branch>
<run tests again>
git branch -d <feature-branch>

Then: Cleanup worktree (Step 5)

Option 2: Push and Create PR

git push -u origin <feature-branch>

gh pr create --title "<title>" --body "$(cat <<'EOF'
## Summary
<2-3 bullets of what changed>

## Test Plan
- [ ] <verification steps>
EOF
)"

Then: Cleanup worktree (Step 5)

Option 3: Keep As-Is

Report: "Keeping branch <name>. Worktree preserved at <path>."

Do NOT cleanup worktree.

Option 4: Discard

Confirm first:

This will permanently delete:
- Branch <name>
- All commits: <commit-list>
- Worktree at <path>

Type 'discard' to confirm.

Wait for exact confirmation. If confirmed:

git checkout <base-branch>
git branch -D <feature-branch>

Then: Cleanup worktree (Step 5)

Step 5: Cleanup Worktree

For Options 1, 2, 4 only:

# Check if in worktree
git worktree list | grep $(git branch --show-current)

# If yes:
git worktree remove <worktree-path>

For Option 3: Keep worktree.

Quick Reference

OptionMergePushKeep WorktreeCleanup Branch
1. Merge locally--
2. Create PR--
3. Keep as-is---
4. Discard---✓ (force)

NEVER

  • Proceed with failing tests
  • Merge without verifying tests on the result
  • Delete work without typed confirmation ("discard")
  • Force-push without explicit request
  • Skip presenting all 4 options
  • Automatically cleanup worktree for Options 2 or 3
  • Ask open-ended "What should I do next?" (use structured options)

Integration

Called by:

  • subagent-development (after all tasks complete)
  • executing-plans (after all batches complete)

Pairs with:

  • git-worktrees - Cleans up worktree created by that skill

Comments

Loading comments...