Quantum Lab

OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 1 The `scripts/qexec.sh` script uses `exec "$@"`, allowing arbitrary command execution within the activated virtual environment and specified root directory. While the `SKILL.md` instructs the agent to use this for `python` and `pip install` commands, the underlying mechanism is broad. The `SKILL.md` also explicitly allows `pip install -r requirements.txt`, which can fetch and execute arbitrary code from package repositories, posing a supply chain risk. These capabilities, though potentially legitimate for the skill's stated purpose, introduce significant risk without clear evidence of intentional malicious behavior.