Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
McDonald's China (mstore)
v1.0.0McDonald's China coupon redemption, query, and points checking. Use when user wants to (1) Query or claim McDonald's coupons, (2) Check available coupons, (3...
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md, reference API, and provided CLI (scripts/mcd.py) are consistent with McDonald's China MCP operations (coupons, points, ordering). However the registry metadata claims no required environment variables while the SKILL.md and the CLI both require an MCDCN_MCP_TOKEN — this metadata omission is an inconsistency.
Instruction Scope
Runtime instructions are narrowly focused on MCP API calls and token configuration. They instruct the user to set MCDCN_MCP_TOKEN or run scripts/setup.sh which writes to the user's shell profile and exports the token to the current session. Writing to the user's shell profile is within scope for persisting a credential but is a privileged action (modifies user config) and should be highlighted to users.
Install Mechanism
The package itself has no install spec (instruction-only), which is low risk. SKILL.md recommends installing a third‑party brew formula (ryanchen01/tap/mcd-cn) — that external package is not part of this bundle and introduces trust considerations; the included scripts are plain Python and a shell setup script (no obfuscated code or downloads).
Credentials
The skill legitimately needs a single MCP token (MCDCN_MCP_TOKEN) to access the user's McDonald's account. However the registry metadata does not declare this required env var (it lists none), which is inconsistent and could mislead users about what secrets the skill needs. The code also looks for a local ~/.mcd-cn.env file as an alternate token source — this is reasonable but means the token could be read from that file if present.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or system-wide settings. The setup script will add an export line to a detected shell profile (~/.zshrc, ~/.bash_profile, or ~/.bashrc), which is a normal way to persist a credential but is a filesystem-write action affecting your shell environment and should be acknowledged before running.
What to consider before installing
This skill appears to implement the McDonald's China MCP API and requires only your MCP token (MCDCN_MCP_TOKEN). Before installing or running: 1) Verify the registry metadata is corrected to declare the required MCDCN_MCP_TOKEN (the SKILL.md and code do require it). 2) Inspect the third‑party brew formula (ryanchen01/tap/mcd-cn) before running brew install — the skill suggests but does not bundle that install. 3) Be aware setup.sh will modify your shell profile (~/.zshrc, ~/.bash_profile, or ~/.bashrc) to store the token; if you prefer not to persist the token, export it only into your current session instead of running the script. 4) Confirm the MCP endpoints (open.mcd.cn / mcp.mcd.cn) are legitimate and that the token you provide is only used for your McDonald's account. 5) If you have concerns, ask the publisher to: add MCDCN_MCP_TOKEN to the declared required env vars, document exactly what the brew formula contains, and provide checksums or a trusted source for any external packages.Like a lobster shell, security has layers — review code before you run it.
McDonaldsvk979vrdqt4p38hkzcqb539knjx83dnxmcouponvk979vrdqt4p38hkzcqb539knjx83dnxmlatestvk979vrdqt4p38hkzcqb539knjx83dnxmmcdvk979vrdqt4p38hkzcqb539knjx83dnxm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.