Proof-of-Quality - BTC PoW Verifiable Excellence
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill does not appear to steal data, but its advertised “proof of quality” is based on a trivial check rather than a real benchmark, which could mislead users.
Review this carefully before trusting its output: it is not a real skill-quality or security benchmark. If you run it, use an explicit file path, watch CPU usage, and avoid recurring cron execution unless you deliberately configure and monitor it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or collaborator could treat the PoQ output as a real quality or security assessment when it does not meaningfully verify the skill.
The implementation scores quality with a simple line-count/string check and makes the proof depend only on score+nonce, not on real benchmark results or the exact skill artifact.
const quality = lines > 10 && skillContent.includes('PoW') ? 98 : 80; ... const hashInput = score + nonce;Do not rely on this as assurance evidence unless it is replaced with real tests and the proof hashes the exact artifact, benchmark inputs, threshold, and nonce.
Running it without an explicit path may evaluate a surprising sibling file, and the hashing loop can consume CPU until a nonce is found.
The script reads a command-line or default local path and performs an unbounded proof-of-work loop; this is purpose-aligned but has local file-scope and CPU-use effects.
const skillPath = process.argv[2] || '../molt-security-auditor/SKILL.md'; ... const skillContent = fs.readFileSync(skillPath, 'utf8'); ... while (true) {Run it only with an explicit intended skill path and consider adding validation, a timeout, or a maximum nonce limit.
If configured, the skill could run periodically and repeatedly read skill files and use CPU.
The documentation suggests recurring scheduled execution. No artifact shows automatic cron installation, so this is a user-directed persistence note rather than hidden persistence.
cron every=6h: PoQ skills.
Only set up a cron job if you intentionally want recurring evaluations, and keep the schedule and paths narrowly scoped.