Dividend Premium Tracker

ReviewAudited by ClawScan on May 10, 2026.

Overview

The tracker mostly matches its stated purpose, but its Telegram alerting uses a hard-coded chat ID and its shell command construction is unsafe.

Review the Telegram alert code before installing. Do not set TELEGRAM_BOT_TOKEN unless you have changed the chat ID to your own verified recipient and replaced the unsafe shell command with safer HTTP handling. Also consider changing the hard-coded output directory before running or scheduling the scripts.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

If Telegram alerts are enabled, investment-alert messages may be sent to an unintended Telegram chat or fail silently instead of going to the user.

Why it was flagged

The script uses a user-provided Telegram bot token but sends alerts to a fixed chat ID that is not user-configurable or disclosed in the setup instructions.

Skill content

TELEGRAM_TOKEN = os.getenv("TELEGRAM_BOT_TOKEN", "")
TELEGRAM_CHAT_ID = "505395883"
...
-d chat_id={TELEGRAM_CHAT_ID}

Recommendation

Do not enable Telegram alerts until the chat ID is configurable and documented, for example via a TELEGRAM_CHAT_ID environment variable with a clear recipient verification step.

Medium

#ASI05: Unexpected Code Execution

What this means

A maliciously crafted local CSV value or environment variable could potentially cause unintended shell commands to run when an alert is sent.

Why it was flagged

The alert message and token are interpolated into a shell command and executed with os.system, so crafted local data or environment values could alter the shell command.

Skill content

cmd = f"""curl -s -X POST https://api.telegram.org/bot{TELEGRAM_TOKEN}/sendMessage \
      -d chat_id={TELEGRAM_CHAT_ID} \
      -d text="{message}" \
      -d parse_mode=HTML"""

os.system(cmd)

Recommendation

Replace os.system with a safe HTTP library or subprocess.run using an argument list, and validate or encode all message fields before sending.

Low

#ASI10: Rogue Agents

What this means

If installed, the tracker will continue making network requests and writing report files on the schedule the user configured.

Why it was flagged

The skill documents an optional cron job that will keep running daily until the user removes it.

Skill content

### Cron Job (Daily Update)

crontab -e
# Add line:
0 17 * * * cd /path/to/skill && python3 scripts/update_dividend_premium.py --update

Recommendation

Only add the cron job if you want daily background updates, and record how to remove it later.

Low

#ASI02: Tool Misuse and Exploitation

What this means

The script may fail on most machines or overwrite files at that fixed path if it exists.

Why it was flagged

The report output path is hard-coded to an author-specific absolute directory rather than a user-selected or skill-local path.

Skill content

DATA_DIR = "/Users/liyi/.openclaw/workspace"
CSV_FILE = os.path.join(DATA_DIR, "股息率溢价跟踪.csv")
EXCEL_FILE = os.path.join(DATA_DIR, "股息率溢价跟踪.xlsx")

Recommendation

Make the output directory configurable, default to a skill-local assets directory, and avoid overwriting existing files without clear user intent.