Halocard Virtual Credit cards

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed payment helper that can create disposable virtual cards only after user approval, but it still carries real spending authority.

Install only if you trust Halocard and are comfortable giving the agent controlled spending ability. Use a revocable or limited HALOCARD_TOKEN if available, keep it out of chats and files, and approve each transaction only after checking the merchant, items, total, currency, and spending limit.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The activation criteria are broad enough to trigger on many ordinary shopping and checkout flows, which can cause the agent to enter a payment-capable mode in a wide range of contexts. In a skill that can generate virtual cards and complete purchases, overbroad activation materially increases the chance of unintended or unauthorized spending, even though later steps require confirmation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal