Intent-Code Divergence
Medium
- Confidence
- 97% confidence
- Finding
- The documentation says the skill does not upload tokens to any third party, yet the usage examples configure Tushare to send requests to `https://tushare.citydata.club/`, a custom proxy/gateway. That means the token is transmitted to an external service controlled by the skill provider, creating a credential exposure and trust-boundary violation risk if users believe the token stays local or only goes to the upstream vendor.
