Finishing a Development Branch
v0.1.0Use when implementation is complete, all tests pass, and you need to decide how to integrate the work - guides completion of development work by presenting structured options for merge, PR, or cleanup
⭐ 0· 1.1k·62 current·67 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's purpose (guiding branch completion) matches the instructions (run tests, merge/push/PR/discard, clean worktrees). However the registry metadata claims no required binaries or credentials, but the SKILL.md clearly expects git, git-worktree, a test runner (npm/cargo/pytest/go), basic shell tools (grep, cat), and the GitHub CLI (gh). That mismatch is problematic: a user would reasonably expect the skill to declare these dependencies.
Instruction Scope
The instructions are narrowly scoped to finishing a branch and include sensible safeguards (test verification, typed confirmation for discard, explicit options). They instruct the agent to run destructive commands (git branch -D, git worktree remove, git push), which is appropriate for the purpose but requires explicit user consent and correct credentials. The skill does not instruct the agent to read arbitrary unrelated files or environment variables.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing will be downloaded or written by the skill itself. That lowers installation risk.
Credentials
The SKILL.md implicitly requires authenticated git operations and use of the GitHub CLI (gh pr create), which require credentials (git remote auth and GH credentials like GITHUB_TOKEN or gh auth). The skill metadata declares no required env vars or primary credential, so the credential needs are not surfaced to the user. This is disproportionate: pushing, PR creation, and deletions should require explicit credential declarations and clear user consent.
Persistence & Privilege
The skill is not always-enabled and does not request persistent or cross-skill modification. It does perform destructive repo operations when invoked, but it does not request elevated platform privileges or to persistently alter agent configuration.
Scan Findings in Context
[NO_FINDINGS] expected: The regex scanner found no code files — this is expected because the skill is instruction-only (SKILL.md). The absence of findings is not evidence that the instructions are harmless; review of SKILL.md is the primary signal.
What to consider before installing
This skill appears to be a focused procedure for finishing a git branch, but there are important mismatches you should address before installing: (1) The SKILL.md runs git, git-worktree, a test runner (npm/cargo/pytest/go), grep/cat, and the GitHub CLI (gh) — but the package metadata declares no required binaries. Confirm those tools are available on the agent's PATH. (2) The skill will push branches and create PRs and can delete branches or worktrees; those operations require git/remote authentication (e.g., SSH keys or HTTPS creds) and gh auth (or a GITHUB_TOKEN). The skill does not declare required environment variables for credentials. Only install if you are comfortable providing the necessary credentials and trust the agent to perform destructive actions. (3) If you plan to let the agent run autonomously, restrict its scope or require explicit user confirmations for push/delete actions; consider running the skill in a dry-run mode first. Recommended fixes before proceeding: update the skill metadata to list required binaries (git, gh, appropriate test runners) and declare that authenticated git/GH credentials are required; add explicit dry-run and verbose confirmation options; and ensure discard/push operations require interactive confirmation from the human operator.Like a lobster shell, security has layers — review code before you run it.
latestvk97282yw30vtkk4gr9dsx2vz1180wwp0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.