Back to skill
Skillv1.0.0
VirusTotal security
Proof-of-Quality - BTC PoW Verifiable Excellence · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:20 AM
- Hash
- de3b092ea9c14681cef4b8fe346eb1c3b1418592236cafb532a549a0aa33e1b1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: proof-of-quality Version: 1.0.0 The skill is classified as suspicious due to two main reasons. First, the `poq.js` script uses `fs.readFileSync` to read files specified by a `skillPath` argument, which defaults to `../molt-security-auditor/SKILL.md`. This allows local file access outside the skill's own directory, posing a risk of arbitrary file disclosure if the agent's input validation is insufficient. Second, the `SKILL.md` contains an instruction for the agent to set up a cron job (`cron every=6h: PoQ skills.`), which is a form of persistence, even if its stated purpose is to periodically run the skill's 'Proof-of-Quality' process.
- External report
- View on VirusTotal