Jd Writer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a local job-description helper, but its metadata and scripts are inconsistent and one extra script can keep a local history log.
Before installing, be aware that the advertised commands and actual scripts do not fully match. If you use it, run only the intended local scripts, avoid entering confidential hiring material into the extra logging script, and prefer a version whose metadata declares its Python requirement and documents any local history storage.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not behave as described, and users may waste time or run alternate commands to find the intended functionality.
SKILL.md advertises these commands, while scripts/jd.sh only documents and handles `generate`, `roles`, and `help`. This is a user-facing documentation/runtime mismatch.
`jd.sh write`, `jd.sh requirements`, `jd.sh benefits`, `jd.sh optimize`, `jd.sh benchmark`, `jd.sh inclusive`
Align SKILL.md with the actual wrapper commands, or update scripts/jd.sh to call the JD functions described in the documentation.
Users or agents may not realize from metadata alone that local Python scripts are part of the skill.
The registry metadata under-declares the local runtime requirements and code footprint; SKILL.md separately says Python 3.6+ is required and the scripts invoke Python.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill ... Code file presence: 3 code file(s)
Declare `python3` as a required binary and make the install/runtime metadata match the shipped files.
Topics or text entered into that script could remain on the local machine after the command finishes.
If this bundled alternate script is invoked, it persists command names and user-provided arguments to a local history file. This persistence is not described in SKILL.md.
DATA_DIR="${JD_WRITER_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/jd-writer}" ... _log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }Document the local history behavior, avoid entering confidential hiring text into the alternate script, or remove/disable logging if it is unnecessary.