Intent-Code Divergence
Medium
- Confidence
- 94% confidence
- Finding
- The documentation makes an inaccurate security/privacy claim: it says API keys are 'never logged or transmitted to third parties,' yet the skill depends on third-party services such as SEC/FDA APIs, Slack, and OpenAI, which necessarily involve transmitting secrets or authenticated requests externally. Misstating data-handling behavior can cause operators to underestimate exposure, misconfigure controls, or violate internal compliance expectations in a tool explicitly meant for regulated environments.
