Finishing Branch
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is mostly a normal Git branch-finishing workflow, but it has high-impact branch/worktree cleanup actions and an internal conflict about whether a PR workflow should remove the worktree.
Review the chosen option carefully before letting the agent execute it. In particular, confirm whether Option 2 should keep or remove the worktree, and use dry-run/manual review before any branch cleanup that deletes local or remote branches.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After creating a PR, the agent may remove a local worktree even though another section says it should be kept.
The PR path both instructs cleanup and later forbids automatic cleanup for Option 2. Because the cleanup command removes a Git worktree, the agent could alter the user's local checkout contrary to another part of the same skill.
#### Option 2: Push and Create PR ... Then: Cleanup worktree (Step 5) ... **For Options 1, 2, 4 only:** ... git worktree remove <worktree-path> ... - Automatically cleanup worktree for Options 2 or 3
Before using Option 2, explicitly tell the agent whether to keep or remove the worktree; the skill should be corrected so all sections agree.
The agent can publish branches and open pull requests using your configured repository credentials if you choose that workflow.
Creating PRs and pushing branches use the user's configured Git/GitHub identity. This is expected for the skill, but it is account-affecting authority.
git push -u origin <feature-branch> gh pr create --title "<title>" --body
Use this only in repositories where you are comfortable allowing the agent to push and create PRs, and review PR title/body content before submission.
If run with --delete in a shared repository, it may remove multiple local and remote branches.
The helper script can delete all branches it determines are merged, including attempting remote deletion. This requires the explicit --delete flag and is related to cleanup, but it is broader than finishing a single branch.
if args.delete:
targets = merged # only delete branches confirmed merged
...
rc, _, err = run_git_rc("push", "origin", "--delete", branch)Run the script first without --delete or with --dry-run, and only use --delete after reviewing the exact branch list.
Using the helper in an untrusted repository could run code defined by that repository's test setup.
The script runs detected project test commands. That is central to the skill's purpose, but test commands can execute arbitrary project-defined code.
runner = detect_test_runner() ... rc = subprocess.run(runner, shell=True).returncode
Only run the test automation in repositories you trust, or inspect the detected test command before running.
Manual installation from that command could retrieve different content later if the upstream branch changes.
The README documents a manual install command from an unpinned GitHub branch. This is not an automatic install spec in the registry, but manual users would be fetching from a moving source.
npx add https://github.com/wpank/ai/tree/main/skills/tools/finishing-branch
Prefer the reviewed registry artifact or pin the GitHub source to a specific commit before manual installation.