ClawHub
Back to skill
v1.0.0

Random Tool

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:56 PM.

Analysis

The tool is simple and local, but it claims to generate cryptographically secure passwords/tokens while using non-cryptographic randomness.

GuidanceTreat this as suitable only for testing or non-security randomization. Do not rely on it for passwords, API keys, session IDs, cryptographic tokens, or other secrets unless the implementation is updated to use cryptographically secure randomness and the documentation accurately reflects the supported commands.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
Generate cryptographically secure random values ... Use for security tokens

The skill makes a strong security assurance and encourages use for sensitive tokens; the included implementation does not support that assurance.

User impactA user or agent may trust the output for passwords, API tokens, or other secrets even though the generated values may be predictable enough to be unsafe for that purpose.
RecommendationDo not use this skill for passwords, tokens, keys, or other security-sensitive randomness unless it is changed to use a cryptographic source such as Python's secrets module and the documentation is corrected.
Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
scripts/genrandom.py
import random ... return ''.join(random.choice(chars) for _ in range(length))

The password and string generation paths use Python's standard random module, which is not intended for cryptographic secrets, despite the tool being advertised for security-token/password generation.

User impactSecurity-sensitive values generated by the tool could be weaker than expected, increasing the risk of guessed or predicted credentials.
RecommendationReplace uses of random.choice, random.randint, and random.uniform for secret generation with cryptographically secure APIs such as secrets.choice, secrets.token_urlsafe, or random.SystemRandom where appropriate.