Skillv2.0.0

ClawScan security

Jd Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 17, 2026, 6:56 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match the stated purpose (generating and optimizing job descriptions); included scripts are local, have no network calls or secret requests, and only create a small local data directory for logging.
Guidance: This skill appears coherent and self-contained: it generates and analyzes job descriptions locally with no network calls or secret access. Before installing, note that one included helper (scripts/script.sh) will create a directory under your data home (default ~/.local/share/jd-writer) and write history.log entries. If you want zero on-disk traces, avoid running that helper; otherwise inspect the log directory after first run. Also consider reviewing the files yourself (jd.py, jd.sh, script.sh) if you want to confirm templates and wording, and be mindful to remove or edit any placeholder contact (e.g., hr@<company>.com) before publishing JDs.

Review Dimensions

Purpose & Capability: okName/description (JD writer, requirements, benefits, benchmark, inclusivity check) align with the provided scripts (jd.py, jd.sh, script.sh) which generate templates, benchmarks, optimization and inclusive-check guidance. Required binaries/env are none, matching the stated minimal requirements (Python 3.6+ noted in SKILL.md).
Instruction Scope: noteSKILL.md instructs running scripts/jd.sh which invokes a Python snippet producing JD output. The scripts perform only template generation and text analysis. One omission: SKILL.md does not mention that scripts/script.sh will create and write logs to a user data directory (~/.local/share/jd-writer by default). There are no instructions to read unrelated system files or to transmit data externally.
Install Mechanism: okThere is no install spec; this is instruction-plus-local-scripts only. All code is included in the skill bundle; there are no downloads, package installs, or extract steps that would pull remote code at install time.
Credentials: okThe skill does not require any environment variables or credentials. It optionally respects JD_WRITER_DIR/XDG_DATA_HOME for its local data directory, which is proportional to its small logging behavior.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated privileges. However, scripts/script.sh creates a data directory and appends to a history.log in the user's data area by default; this is benign persistence but worth noting since SKILL.md does not document it explicitly.