Context-Inappropriate Capability
Medium
- Confidence
- 98% confidence
- Finding
- The file hard-codes a Tushare API token and then forcibly overrides the client’s base URL to a non-default external HTTP endpoint. This creates two security problems: credential exposure in source code and redirection of authenticated traffic to an untrusted or undocumented server, which could capture the token, tamper with market data, or proxy requests without the user’s knowledge. In a stock-diagnosis skill, silently changing the upstream API host is more dangerous because analysis quality and integrity depend on trustworthy market data.
