Finish Feature

Name: claude-code-toolkit/finish-feature
Author: winrey

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

This skill allows arbitrary command execution, instruction injection, and

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

Finish Feature: Orchestrate a feature branch through a comprehensive quality pipeline before merge. 9 sequential steps, each runs once to completion.

Actually does

This skill orchestrates a nine-step quality pipeline for a feature branch. It uses `git` commands for repository management and `gh` CLI to interact with GitHub for PR creation, review management (including Copilot), and CI checks. It also invokes other skills (`review-loop`, `test-completeness`, `codex:rescue`) and dispatches subagents with specific prompts to perform spec, quality, and documentation checks, updating the PR and generating a final report.

Threat Analysis

AI Agent Traps ↗Scanned 4/14/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction3 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namewinrey/claude-code-toolkit/finish-feature

Registrygithub

Version668aea21899d

PURLpkg:github/winrey/claude-code-toolkit@668aea21899d?skill=finish-feature

Stars3

Source

Repository ↗SKILL.md ↗

SHA-256022ee0f3d60c...

SHA-17a06a30b6626...

MD565110809ec52...

TLSH7da208db2d49...

ssdeep384:NR9QXtJh...

Size22,003 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/winrey/claude-code-toolkit/tree/main/skills/finish-feature

Claude CodeDocs

/plugin marketplace add winrey/claude-code-toolkit

/plugin install finish-feature@winrey/claude-code-toolkit

Skills.shDocs

npx skills add https://github.com/winrey/claude-code-toolkit

Assessments (4)

AI Agent Traps ↗

Autonomy Abuse & Goal Hijacking (Full Automation)criticalautonomy abuse

The 'full auto' mode explicitly grants the AI authority to make critical decisions, fix code, resolve conflicts, and adapt code without human confirmation, bypassing human oversight and enabling potential goal hijacking.

100% confidenceline 133

Full auto — AI handles everything autonomously, including decisions, error resolution, and trade-offs. ... automation=full → attempt auto-resolve with git merge ... automation=full → analyze impact, adapt code if safe

Command Execution & Data Exfiltration (Git/GitHub CLI)highcommand execution

Extensive use of `git` and `gh` commands, including `gh api` for GraphQL queries and PR content manipulation, provides capabilities for arbitrary command execution, data exfiltration, and credential harvesting if arguments are manipulated.

100% confidence

`gh pr view`, `gh pr create`, `gh pr edit`, `gh api repos/{owner}/{repo}/pulls/{pr}/reviews`, `gh api graphql`

Supply Chain Risk via External Skills & Subagentshighsupply chain

Heavy reliance on invoking external skills (`review-loop`, `test-completeness`, `codex:rescue`) and dispatching numerous subagents introduces significant supply chain risk if any dependency is compromised or manipulated.

100% confidence

Invoke skill `winrey-toolkit:review-loop` ... Delegate review to Codex via `codex:rescue` skill ... Dispatch spec-checker subagent

Content/Prompt Injection via Diff & Spec Contenthighprompt injection

The skill directly embeds `DIFF_CONTENT` into subagent prompts (Codex review) and reads `SPEC_PATH` contents for processing, creating a vector for injecting hidden instructions or malicious content to manipulate subagents.

100% confidence

{DIFF_CONTENT}` in `codex-reviewer-prompt.md` ... `PLAN_OR_REQUIREMENTS` reads `SPEC_PATH` file contents

Semantic Manipulation of Review Opinionsmediumoversight evasion

The 'Review Opinion Handling Principle' allows the agent, especially in 'full' automation, to autonomously judge and act upon review feedback, which can be exploited to bypass legitimate security concerns.

90% confidenceline 155

For each review opinion: Clearly valid → fix code, Clearly invalid / false positive → Do NOT fix... Uncertain → automation=full → analyze pros/cons, make a judgment call

Memory Poisoning of Persistent Statemediummemory poisoning

The skill saves the `TARGET_BRANCH` to memory for future runs, creating a persistent state that could be poisoned to redirect subsequent operations to an incorrect or malicious target branch.

90% confidenceline 100

Save confirmed target branch to memory for future runs.

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/winrey/claude-code-toolkit/finish-feature.svg)](https://mondoo.com/ai-agent-security/skills/github/winrey/claude-code-toolkit/finish-feature)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/winrey/claude-code-toolkit/finish-feature"><img src="https://mondoo.com/ai-agent-security/api/badge/github/winrey/claude-code-toolkit/finish-feature.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/winrey/claude-code-toolkit/finish-feature.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow