You can directly inject an expression in the custom query
{{ hello }}
You need to ensure "hello" variable is a number, else it's a security vulnerability (SQL Injection). Ensureness can be achieved by using the toNumber (paraphrased) formatter, or by using relevant validation beforehand
If it is any help, i had a similar issue in the very early days of Wappler (my first project actually) long before custom extensions. I needed to change records displayed every hour or so (it was property rentals featured properties)
As RAND if not very effective regarding optimisation and at that time RAND could not be used in standard queries, i added a field to the appropriate table called order.
I then added a schedule (actually a cron job as this was PHP, before node was even thought about) which wrote a random number (between bounds obviously) to the order field or each record effectively changing the order.
Then i could just use SORT on the order field to effectively randomise the records each hour.
Bit of a workaround but it actually worked very effectively