Second, the current implementation is not the final product. SC4 is implemented as a web application simply to leverage a browser as a UI, and to get the maximum coverage for the least amount of effort. Implemented as a web application, the same code can run on all major operating systems, which makes implementation and auditing that much easier.
Finally, it should be noted that the SC4 protocol is simple, easy to parse, and the core crypto library is public domain, so anyone can write an SC4 implementation. The current prototype is only about 700 lines of code (plus 1200 LOC for the nacl library).
SC4 implements NaCl's authenticated encryption using curve25519 ECDH key exchange, and secure digital signatures using Ed25519. Keys are generated using the browser's random number generator and stored in localStorage. This is not super-secure but it's not bad either. And remember, the point of this implementation is not to be super-secure, but simply to vet and establish the protocol. Extremely secure implementations of SC4 on dedicated HSM-like dongles are currently in development.
Not yet. We're working on it.