emblem-ai-react

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). HustleProvider is wired to a runtime backend via hustleApiUrl (import.meta.env.VITE_HUSTLE_API_URL) — e.g. the example base URL https://emblemvault.dev — and the docs explicitly state that this endpoint is used for prompt and tool orchestration, meaning remote content at that URL can directly control prompts at runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly supports "wallet-enabled users", "users can sign in with wallets", React hooks and UI components that expose "vault, and wallet state", and mentions "signing" and a related "emblem-ai-agent-wallet" skill for wallet workflows. These are specific crypto/wallet capabilities (wallet auth, signing, and wallet state management), which fall under the Crypto/Blockchain category in the rules and can enable transaction signing or wallet-based financial actions.