proximity-reader

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill contains runtime code that fetches a reader token from "https://your-server.com/api/reader-token" via URLSession, and that JWT (fetched at runtime) directly controls which document elements the Verifier API requests from the holder (i.e., the prompts/permissions), making this an external dependency required for operation.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built to implement Tap to Pay and contactless payment acceptance on iPhone. It names payment-specific classes (PaymentCardReader, PaymentCardReaderSession), shows creating PaymentCardTransactionRequest with amount/currency, directs sending paymentCardData or store-and-forward batch.data to a PSP, and references integration with Level 3 certified PSPs (Stripe, Adyen, Square, Windcave) and reader tokens/JWTs. These are specific payment gateway/transaction operations (not generic browser or HTTP tooling) and therefore constitute direct financial execution capability.