Jd Search
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a narrow JD internal product-search helper, but the reviewed files do not include the CLI executable it describes.
Before installing, confirm you are authorized to use the JD internal search service and inspect or obtain the missing `jd-search` executable from a trusted source. Do not symlink or run an unverified command.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not run as packaged, or a user may end up running a `jd-search` binary from somewhere else that was not part of this review.
The package declares a runnable CLI file, but the supplied manifest/code-presence data shows no `jd-search` implementation and no install spec, so the command code was not reviewable.
"bin": {
"jd-search": "./jd-search"
}Verify the exact `jd-search` executable source and contents before adding it to PATH or allowing the agent to invoke it.
Searches may access internal JD infrastructure and should only be run by users who are authorized to use that environment.
The skill targets an internal JD service. That is purpose-aligned for this JD Gongcai search helper, but it relies on organizational network access.
- **接口地址**: `http://vproxy-search.jd.local/` ... 1. 接口为内网服务,需在京东内网环境调用
Use this only on an authorized JD internal network, and avoid sending search terms that should not be queried against that service.