Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dividend Premium Tracker
v1.0.1Track the dividend premium (dividend yield minus 10-year bond yield) for CSI Dividend Low Volatility Index. Monitor dividend yield, 10-year bond yield, and calculate the premium for investment decisions.
⭐ 0· 1.1k·1 current·2 all-time
by@gykdly
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the scripts' functionality: they download index and bond yield data and compute a dividend premium. However, the implementation shows inconsistencies (two different premium calculations: one script uses div_rate - bond_yield, the other uses div_rate * 100 - bond_yield) and assumptions about data units that are not documented. These inconsistencies mean results may be incorrect even though the intended purpose is aligned.
Instruction Scope
SKILL.md instructs running the included scripts and optionally setting TELEGRAM_BOT_TOKEN. The scripts access only known public endpoints (csindex and chinabond) and write local CSV/Excel files, which is expected. Concerns: both scripts write to a hard-coded absolute DATA_DIR (/Users/liyi/.openclaw/workspace) rather than a configurable path; monitor script hard-codes TELEGRAM_CHAT_ID = "505395883" (messages would be sent to that chat id if the bot token is accepted); and the code uses os.system/subprocess to call curl. There is no instruction in SKILL.md warning about the hard-coded path or chat id.
Install Mechanism
No install spec; scripts are included as files and rely on Python and curl. This is the lowest-risk install mechanism (nothing is downloaded/installed at runtime by the skill itself).
Credentials
No required environment variables are declared, and the SKILL.md mentions an optional TELEGRAM_BOT_TOKEN. That is reasonable for alerts, but the code also hard-codes a TELEGRAM_CHAT_ID. If a user supplies a bot token, the script will attempt to send messages to that hard-coded chat id (likely the developer's), which is unexpected behavior: alerts probably should go to a user-configurable chat id. No other credentials are requested, which is proportional.
Persistence & Privilege
The skill is not set to always:true and does not request elevated system privileges or modify other skills/configs. It writes files to a fixed local path (which is a privilege to write to that path, but not a platform-level persistence flag).
What to consider before installing
This skill implements the advertised tracking but has several red flags you should address before running it with your real data or credentials: 1) Fix the unit/logic inconsistency: the two scripts calculate 'premium' differently (one subtracts, the other multiplies dividend rate by 100), so verify which is correct for your data. 2) Remove or make configurable the absolute DATA_DIR (/Users/liyi/.openclaw/workspace) so files are saved where you expect. 3) Remove the hard-coded TELEGRAM_CHAT_ID or make the chat id configurable: currently alerts target a fixed numeric chat id (likely the developer's), which is unexpected and could leak alerts. 4) Review and fix bugs in generate_excel (there are references to an undefined 'data' and strange chart scale settings) before trusting generated reports. 5) Only set TELEGRAM_BOT_TOKEN if you intend the included bot to send messages and you trust where messages will be delivered; consider testing with a disposable bot and your own chat id first. 6) Run the scripts in a sandbox or test environment first to confirm behavior and outputs. Given the inconsistencies and hard-coded endpoints/paths, treat this as suspicious rather than benign until those issues are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97cqfre3fyjzn05jpv9mhves180yrdw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.