Finishing Branch

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Git branch-finishing helper, but it needs review because it can delete local and remote branches and has inconsistent cleanup instructions.

Install only if you are comfortable letting the agent assist with Git/GitHub workflow actions in the current repository. Use dry-run or listing modes first, confirm the exact branch and worktree path before cleanup, and avoid running it on untrusted repositories because project tests can execute code from that repository.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (7)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: if dry_run: print(" [dry-run] Would run tests.") return True rc = subprocess.run(runner, shell=True).returncode if rc != 0: print(f" Tests failed (exit {rc}). Fix before finishing the branch.") return False
Confidence: 98% confidence
Finding: rc = subprocess.run(runner, shell=True).returncode

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script can delete remote branches via 'git push origin --delete', which is a destructive repository mutation and exceeds the stated skill purpose of presenting integration/cleanup options. In an agent context, this creates a real risk of unintended or unauthorized deletion of shared branches if the script is invoked automatically or with insufficient human confirmation.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Direct remote repository mutation is dangerous in this skill context because the skill is described as decision support for finishing a branch, not as an administrative branch-deletion tool. That mismatch increases the chance an operator or autonomous agent will invoke destructive actions without understanding that remote state will be changed.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill description says it should present structured options for merge, PR, or cleanup, but the implementation can delete local and remote branches when --cleanup is supplied. In an agent context, this exceeds a narrow advisory role and can cause destructive repository changes if the flag is used automatically or under ambiguous user intent.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases include very generic language such as "done with feature" and "implementation complete," which are common in normal developer conversation and can cause the skill to activate unintentionally. Because this skill can guide branch integration, PR creation, cleanup, or discard flows, accidental activation could push the agent into performing or proposing impactful repository actions at the wrong time.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The trigger phrases include common terms like 'merge branch', 'create PR', and 'implementation complete', which are broad enough to cause accidental activation during ordinary conversation. Unintended invocation is risky here because the skill is operational and can lead to merges, pushes, deletions, or cleanup flows being initiated in the wrong context.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The keyword list repeats ambiguous activation terms without clear scope constraints, increasing the chance the skill is triggered by casual references rather than an intentional request. In a skill that can execute git and cleanup commands, accidental activation materially raises the risk of undesired state changes or destructive prompts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal