ClawHub
Back to skill
v1.0.2

Halocard Virtual Credit cards

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:36 AM.

Analysis

This is a clearly disclosed payment helper that requires user approval before creating a card, but it uses a sensitive Halocard token to complete real purchases.

GuidanceBefore installing, confirm you trust Halocard and the listed domains, use a limited or revocable token if possible, and approve purchases only after verifying the merchant, items, amount, currency, and spending limit.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Do **not** create a card until the user confirms. ... **POST** `https://agent.halocard.co/api/v1/payments` ... Submit the payment.

The skill instructs the agent to create a virtual card and complete checkout, which is a real financial action; the same workflow requires explicit user approval first.

User impactIf the user approves the wrong merchant, items, or amount, the agent could complete an unintended purchase.
RecommendationOnly approve card creation after checking the merchant, items, total, currency, and any spending limit.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The registry does not provide source or homepage provenance, which matters more for a skill that handles payment credentials, though no executable code is installed.

User impactUsers have less registry-level provenance to confirm that this payment workflow is from the expected provider.
RecommendationVerify the Halocard service and domains independently before entering or storing a token.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Store it as `HALOCARD_TOKEN` environment variable ... Headers: `Authorization: Bearer $HALOCARD_TOKEN`

The skill requires a bearer token that authorizes Halocard payment-card creation, which is expected for this purpose but sensitive.

User impactAnyone or any agent process with access to the token may be able to request virtual cards through the Halocard account.
RecommendationUse a dedicated, revocable token if available, keep it out of chats and files, and rotate it if it may have been exposed.