Halocard Virtual Credit cards
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a clearly disclosed payment helper that requires user approval before creating a card, but it uses a sensitive Halocard token to complete real purchases.
Before installing, confirm you trust Halocard and the listed domains, use a limited or revocable token if possible, and approve purchases only after verifying the merchant, items, amount, currency, and spending limit.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves the wrong merchant, items, or amount, the agent could complete an unintended purchase.
The skill instructs the agent to create a virtual card and complete checkout, which is a real financial action; the same workflow requires explicit user approval first.
Do **not** create a card until the user confirms. ... **POST** `https://agent.halocard.co/api/v1/payments` ... Submit the payment.
Only approve card creation after checking the merchant, items, total, currency, and any spending limit.
Anyone or any agent process with access to the token may be able to request virtual cards through the Halocard account.
The skill requires a bearer token that authorizes Halocard payment-card creation, which is expected for this purpose but sensitive.
Store it as `HALOCARD_TOKEN` environment variable ... Headers: `Authorization: Bearer $HALOCARD_TOKEN`
Use a dedicated, revocable token if available, keep it out of chats and files, and rotate it if it may have been exposed.
Users have less registry-level provenance to confirm that this payment workflow is from the expected provider.
The registry does not provide source or homepage provenance, which matters more for a skill that handles payment credentials, though no executable code is installed.
Source: unknown Homepage: none
Verify the Halocard service and domains independently before entering or storing a token.