Is adhambadr/halocard-virtualcards safe?

https://github.com/openclaw/skills/tree/main/skills/adhambadr/halocard-virtualcards

83
SAFE

The halocard-virtualcards skill is a payment automation tool that creates disposable virtual cards via the Halocard API. It is structurally clean — no executable code, no prompt injection, clean install — but carries inherent privacy and supply-chain risk from its core design: purchase behavioral data (merchant and item descriptions) is transmitted to a third-party service on every transaction, and live card credentials (PAN, CVC) are held in agent context after each API call. The mandatory user confirmation gate before card creation is a meaningful safeguard, but the skill's security posture is fully dependent on halocard.co being trustworthy.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 86/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (7)

MEDIUM Purchase behavioral data sent to third-party API -20

Every card creation request transmits the merchant name and a detailed item description to https://agent.halocard.co/api/v1/payments. This is architecturally necessary but means an external party receives a log of what the user is buying and where. If halocard.co is compromised, sold, or subpoenaed, this data is accessible to third parties.

MEDIUM Virtual card credentials persist in agent context window -15

After the API call at Step 5, the agent holds a live PAN, CVC, and expiry date in its context. These are not ephemeral — they exist in the LLM's working memory until the session ends or context is flushed. A subsequent prompt injection from a malicious webpage or another skill could instruct the agent to relay these card details.

LOW External service supply chain dependency -12

The skill's entire security model depends on halocard.co being a trustworthy, non-malicious operator. A future skill update (only one version published, history is empty) could silently redirect API calls to a different endpoint. The skill requires no code signing or endpoint pinning.

LOW Broad activation scope may trigger on unintended checkouts -15

The skill description instructs the agent to activate 'when completing any online checkout during a task.' If a task involves browsing a site that presents a checkout page incidentally, the skill may propose activating. The mandatory user confirmation gate (Step 3) mitigates this, but the trigger boundary is not tightly scoped.

LOW HALOCARD_TOKEN exposed to third-party endpoint -10

The user's HALOCARD_TOKEN is transmitted as a Bearer token to agent.halocard.co on every request. If the halocard service logs requests or is intercepted, the token is exposed and could be used to create fraudulent cards against the user's account.

INFO No executable code or install hooks present 0

The skill consists solely of SKILL.md and _meta.json. No scripts, binaries, npm hooks, git hooks, submodules, or symlinks were found. The install process performed a clean git sparse-checkout with no side effects.

INFO Clean installation — single expected network connection 0

The only outbound connection during install was to 140.82.121.3:443 (GitHub) for the git clone. Connection state before and after install is identical except for the SSH session rotation. No DNS queries to halocard.co or any unexpected host.