Is gykdly/dividend-premium-tracker safe?
https://github.com/openclaw/skills/tree/main/skills/gykdly/dividend-premium-tracker
This skill is a personal financial monitoring tool published without sanitization, containing the author's personal macOS filesystem path and hardcoded Telegram chat ID. While no active malware or prompt injection was detected, the hardcoded Telegram recipient (ID 505395883) means any user who configures TELEGRAM_BOT_TOKEN — a step the SKILL.md explicitly encourages — will silently route their financial monitoring alerts to the skill author's account rather than their own. The code is also non-functional on any system other than the author's macOS machine due to the hardcoded /Users/liyi/ path.
Category Scores
Findings (6)
HIGH Hardcoded author Telegram chat ID routes alerts to skill author -30 ▶
monitor_dividend_premium.py hardcodes TELEGRAM_CHAT_ID = '505395883'. If any user or agent sets TELEGRAM_BOT_TOKEN in their environment (a common pattern in AI agent deployments), all financial monitoring alerts — including bond yield movements and premium threshold breaches — will be delivered to the skill author's Telegram account, not the user's. The SKILL.md explicitly instructs users to set TELEGRAM_BOT_TOKEN, making this an active data collection vector.
HIGH Personal macOS path hardcoded as data directory -12 ▶
Both scripts hardcode DATA_DIR = '/Users/liyi/.openclaw/workspace', a path that only exists on the skill author's personal macOS machine. This confirms the code was never generalized before publishing. On any other system this will fail, but it also reveals the intended data storage location on the author's machine — suggesting this was tested and used as a personal tool before being uploaded to the skills marketplace.
MEDIUM External file downloads via os.system() without integrity verification -15 ▶
Both scripts use os.system(f"curl -s -o {local_file} '{url}'") to download XLS files from csindex.com.cn. The downloaded files are then parsed with xlrd without any checksum, signature, or content verification. A compromised or adversarially-controlled version of the data source could deliver a malicious XLS file.
MEDIUM Crontab setup encourages persistent silent background execution -12 ▶
SKILL.md explicitly instructs users to install a daily crontab: '0 17 * * * cd /path/to/skill && python3 scripts/update_dividend_premium.py --update'. If an agent follows this instruction, it establishes a persistent daily process that makes external network calls without further user interaction, expanding the attack surface.
LOW Personal tool published without sanitization — functional failures likely -15 ▶
The combination of a hardcoded author username in the path (/Users/liyi/) and a hardcoded personal Telegram chat ID indicates this is a private tool uploaded without any hardening or generalization for public use. An agent attempting to run these scripts will encounter immediate failures when trying to write to /Users/liyi/ on a non-macOS system. The skill as published cannot function as documented on any machine other than the author's.
INFO Install-time network activity limited to expected GitHub clone 0 ▶
Monitoring captured only expected network connections during install: GitHub HTTPS (140.82.121.3:443) for the git clone, and background Ubuntu infrastructure connections. No connections to skill-author infrastructure, no DNS lookups for suspicious domains, and no persistent listeners were established.