[TekMol]

    there is nothing much the library _can_ do IMHO

It's code that runs on your machine. What would prevent it to do whatever it wants? Like sending your private keys somewhere? Or using a weak form of crypto to create them so that somebody can guess them?

[brown-dragon]

That's an excellent point. The only place the library has access to the private keys are during account creation and message signing. Perhaps I should implement both directly in the wallet so it's visible and clear to everyone.