ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Randomization Gen

v1.0.0

Generate block randomization lists for RCTs

0· 33·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and the included Python script all match: they generate block and stratified randomization schedules and export CSVs. The requested resources (none) are proportional to the declared functionality.
Instruction Scope
SKILL.md stays on-topic and does not instruct network calls or access to unrelated credentials. However, the implementation does not validate output file paths (no prevention of directory traversal or checks against writing outside the workspace) and will open whatever filename is provided. SKILL.md's security checklist claims path validation but the code does not implement it.
Install Mechanism
No install spec; the skill is instruction-only with an included script. No external downloads or package installs are requested, minimizing install risk.
Credentials
The skill requests no environment variables or credentials. It only performs local file writes/reads via standard Python I/O, which is proportionate to generating and exporting schedules.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges or modify other skills. It does write files in the working directory (as expected) but does not claim persistent system presence.
What to consider before installing
This skill appears to do what it claims (generate block and stratified randomization lists) and does not request secrets or network access. Before installing or running it, consider: 1) Run it in a sandbox or restricted workspace — the script writes whichever filename you pass and does not validate paths, so it could overwrite files outside the intended directory if given a path like ../../something. 2) Validate user-supplied output paths yourself (or modify the script) to prevent directory traversal and to ensure you have permission to write. 3) Edge-case behavior: stratified_randomization uses integer division (n_subjects // len(strata)) and will drop any remainder subjects (they won't be allocated); consider whether this is acceptable or modify the logic to distribute remainders. 4) The exporter will fail if the schedule is empty (schedule[0].keys() will raise), so add checks for empty schedules if needed. 5) If you plan to run this on sensitive systems, confirm the runtime environment and filesystem permissions. These issues look like sloppy/omitted validation rather than intentional misdirection, but you should review or patch the code before using it in a production or high-stakes clinical environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk979d1fchb5qqyh7q963360vfx83zp6h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments