ClawHub

McDonald's China (mstore)

Security checks across malware telemetry and agentic risk

Overview

This skill matches its McDonald’s China use case, but it needs Review because it can use an account token for real account and ordering actions while handling that token unsafely.

Install only if you are comfortable giving this skill access to a McDonald’s China account token that can read account information and perform coupon, points, address, and delivery-order actions. Avoid the setup script on shared, logged, synced, or screen-shared machines; prefer a temporary environment variable or secure credential manager. Require explicit confirmation before any action that claims coupons, spends points, changes delivery addresses, or creates an order.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly requires an environment variable token and access to a remote MCP server, but the manifest does not declare the implied env/network capabilities or otherwise warn users about those sensitive operations. This creates a transparency and consent gap: users may invoke a commerce-linked skill without understanding it will read credentials and perform authenticated network actions on their McDonald's account.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The CLI accepts any user-supplied tool name and forwards it directly to the MCP server, without enforcing an allowlist matching the skill's declared scope. If the backing server exposes additional privileged or unintended tools, the skill can be used to access capabilities beyond coupons, points, calendar, and delivery, creating a scope-expansion risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises delivery ordering and address management tied to a real McDonald's account, but does not clearly warn that it will access saved addresses, use account data, and potentially place real orders with financial or account consequences. In a commerce context, omission of such warnings is dangerous because users may trigger irreversible or chargeable actions without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup instructions tell users to export an MCP token tied to their phone-number-based McDonald's account, but do not emphasize that this token is a sensitive credential equivalent to account access. If exposed through shell history, logs, screenshots, shared terminals, or inherited environments, an attacker could query account data, claim coupons, redeem points, or place orders against the user's account.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The reference exposes account-sensitive and real-world action tools, including points balance access, saved address retrieval, address creation, coupon querying, and delivery order creation, without documenting consent requirements, confirmation steps, or privacy warnings. In an agent setting, this increases the risk of unauthorized disclosure of personal data or unintended account-impacting actions if the agent invokes these tools without explicit user confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists the MCP token to the user's shell profile, storing a sensitive credential in plaintext on disk and causing it to be loaded automatically into future shells. This increases exposure through local file disclosure, backups, profile syncing, accidental sharing, and other processes that can read shell startup files; in this skill's context, the token grants direct access to McDonald's China MCP services, so compromise could enable unauthorized coupon, points, or ordering actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script prints terminal instructions containing the full token value, unnecessarily re-exposing the secret after entry. This can leak credentials via terminal scrollback, screen recording, shoulder surfing, terminal logging, shell session capture, or copied command history; because the token provides access to account-linked MCP functionality, disclosure could let another party use the victim's coupons, points, or ordering capabilities.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal