ClawHub

Halocard Virtual Credit cards

v1.0.2

Create disposable virtual credit cards for online purchases. Use as a payment method when completing any online checkout during a task — e.g. ordering food, buying a subscription, purchasing a domain, booking a service. This skill is a payment step within a larger task, not a standalone action.

0· 1k·0 current·0 all-time
by@adhambadr
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description promise: generate disposable virtual credit cards. Declared requirement: HALOCARD_TOKEN. There are no unrelated env vars, binaries, or config paths requested. The single required credential (HALOCARD_TOKEN) is appropriate and expected for calling a card-issuing API. The SKILL.md uses halocard-related URLs (secure.halocard.co and agent.halocard.co), which is consistent with the stated provider, although no official homepage/source repo is provided for independent verification.
Instruction Scope
Instructions stay within the payment use-case: navigate to checkout, read the exact total, ask for user confirmation, POST to the Halocard API, and fill the form with returned PAN/CVC. The doc explicitly forbids logging/storing card details and requires user confirmation before creating a card. Minor notes: the runtime instructions implicitly require the agent to scrape/parse checkout pages (expected for a browsing agent) and send sensitive card data to the target checkout form; they also instruct storing the API token as an env var. The skill does not specify additional safeguards (e.g., hostname verification or token scoping), and the API endpoint is a third-party URL (agent.halocard.co) — legitimate but not independently verified here.
Install Mechanism
No install spec and no code files — instruction-only. This means nothing is written to disk or fetched during installation. Install risk is minimal.
Credentials
Only HALOCARD_TOKEN is required and declared as the primary credential; that is proportionate to the stated functionality. Treat HALOCARD_TOKEN as highly sensitive: possession of the token likely allows creating virtual cards (and thus obtaining PAN/CVC numbers). The SKILL.md advises storing it as an env var (common practice) but does not describe token scopes, expiry, or least-privilege recommendations.
Persistence & Privilege
The skill is not always-enabled, does not request elevated system privileges, does not modify other skills, and has no install-time persistence. Autonomous invocation is allowed (platform default) but not combined here with any unusual privileges.
Assessment
This skill appears internally consistent for generating one‑time virtual cards and only asks for a Halocard API token. Before installing: 1) Verify the Halocard service and the exact API domain (confirm agent.halocard.co is legitimate) and prefer instructions from an official homepage or docs; 2) Treat HALOCARD_TOKEN as secret — store it in a secure credential store, not a shared plaintext environment; 3) Understand that the token can likely create cards and expose PAN/CVC, so revoke or rotate it if you suspect compromise; 4) Ensure the agent does not persist or log returned card details (the SKILL.md instructs this, but you should confirm the agent enforces it); 5) Consider testing with a very small amount or sandbox token if available; and 6) If you need stronger assurance, ask the publisher for source/repo or official API docs before use.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💳 Clawdis
EnvHALOCARD_TOKEN
Primary envHALOCARD_TOKEN
latestvk9718rbpkzvctjegwfyh5f17x1810trr
1kdownloads
0stars
3versions
Updated 1mo ago
v1.0.2
MIT-0
@adhambadr
latest
Download

Halocard — Disposable Virtual Cards for Online Purchases

Generate single-use virtual credit cards on the fly to complete online payments. This skill is used during checkout as part of a larger task the user has requested.

Setup

A Halocard token is required. If not configured:

  1. Ask the user to sign up: https://secure.halocard.co/enter
  2. Ask the user to copy paste an API token: https://secure.halocard.co/dashboard
  3. Store it as HALOCARD_TOKEN environment variable

When This Skill Activates

This is a payment step, not a standalone task. It activates when:

  • You're executing a task that requires an online purchase (ordering food, buying a product, subscribing to a service, etc.)
  • You've reached the checkout/payment page and need a card to complete it

Workflow

1. Navigate to checkout

Complete the shopping/ordering flow as part of the user's task. Proceed until you reach the payment page.

2. Read the total from the page

Extract the exact total amount from the checkout page. Do not guess or estimate.

3. Confirm with the user before proceeding

Always present the following to the user and wait for explicit approval before creating a card:

  • Merchant/website
  • Items being purchased (brief summary)
  • Total amount

Example:

💳 Ready to pay. Uber Eats — 2x chicken shawarma, 1x hummus. Total: £24.50. Go ahead?

Do not create a card until the user confirms.

4. Build the description from context

Construct a clear description from what you know:

  • The merchant/website name
  • What's being purchased
  • Example: "Uber Eats order - 2x chicken shawarma, 1x hummus"

5. Create the card

POST https://agent.halocard.co/api/v1/payments

Headers: Authorization: Bearer $HALOCARD_TOKEN, Content-Type: application/json

{
  "amount": 2450,
  "description": "Uber Eats order - 2x chicken shawarma, 1x hummus"
}
  • amount: integer in cents ($24.50 → 2450). Match the checkout total exactly.
  • description: what's being purchased + merchant

Response:

{
  "data": {
    "card": {
      "id": "card_abc123",
      "pan": "4111111111111111",
      "cvc": "123",
      "expiryMonth": "03",
      "expiryYear": "2027"
    }
  }
}

6. Fill the payment form

Enter the card details into the checkout form:

  • Card numberpan
  • CVC/CVVcvc
  • Expiry monthexpiryMonth
  • Expiry yearexpiryYear
  • Cardholder name → user's name (ask if unknown)
  • Billing address → user's address (ask if unknown)

7. Submit and confirm

Submit the payment. Verify the order confirmation page loaded. Report the outcome to the user.

Spending Limits

  • If the user set a max amount for the task (e.g. "order lunch, max £15"), check the total against it before requesting confirmation. If over budget, inform the user.
  • Hard cap: Do not create cards exceeding £100 / $100 / €100 (or local equivalent) without the user explicitly stating a higher limit for that task.
  • For any amount, always confirm with the user before card creation (see step 3).

Rules

  1. Never log or store card details (PAN, CVC) to any file.
  2. Match the amount exactly to the checkout total — read it from the page.
  3. Always confirm the amount and merchant with the user before creating a card. No exceptions.
  4. Create the card only when ready to fill the payment form — cards are single-use.
  5. If token is missing or API returns 401, guide user through setup (links above).
  6. If payment fails, report the error to the user. Do not retry with a new card without asking.

Example (curl)

curl -X POST https://agent.halocard.co/api/v1/payments \
  -H "Authorization: Bearer $HALOCARD_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"amount": 2450, "description": "Uber Eats order - 2x chicken shawarma"}'

Comments

Loading comments...