openfort-embedded-wallet

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The SDK explicitly relies on runtime endpoints that load remote UI/logic (hidden WebView / Shield iframe) — e.g. https://embed.openfort.io, https://shield.openfort.io and the API backend https://api.openfort.io — which are fetched at runtime and can deliver remote code/UI that controls prompts and behaviour.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly an embedded-wallet SDK for Openfort across multiple platforms and includes direct blockchain transaction APIs and wallet management. The documentation shows concrete methods to create/configure embedded wallets, obtain EIP-1193 providers, and call provider.request with method "eth_sendTransaction" (Swift/JS/Unity examples). It also documents fee sponsorship (pol_... IDs) and gasless transactions. These are specific crypto/blockchain wallet and transaction features that enable sending/signing on-chain transactions (i.e., moving funds), so it grants direct financial execution capability.