ClawHub

mcdonalds-mcp-order-lite

Security checks across malware telemetry and agentic risk

Overview

This skill is a mostly coherent McDonald’s China ordering helper, but it exposes real ordering/cancellation authority and sensitive token/data flows with incomplete guardrails.

Install only if you trust this publisher and are comfortable giving the skill a McDonald’s MCP bearer token with real account/order authority. Keep the endpoint fixed to https://mcp.mcd.cn, do not expose MCD_MCP_URL to untrusted values, require a clear final confirmation before creating or cancelling any order, and expect delivery details, contact information, addresses, and precise coordinates to be sent to the remote service when those tools are used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The configuration tool exposes the first characters of the bearer token via `client.token[:8] + '...'`, which leaks secret material to any caller of the tool. Even partial credential disclosure increases the attack surface by enabling token correlation, secret validation, log exposure, and aiding credential theft workflows, especially in agent environments where tool output may be logged or shown to users.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The create_order method is designed to send user_info and delivery_info, which can contain personal data such as name, phone number, and address, to a remote service without any built-in consent notice, minimization, or redaction. In an agent context, this increases privacy risk because a caller may pass sensitive data automatically, and the code provides no safeguard to ensure the user understands what will be transmitted.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The find_stores method transmits precise latitude and longitude to a remote API, which is sensitive location data, without any user-facing disclosure or coarse-location option. In an agent skill, silent sharing of exact coordinates is privacy-relevant because it can reveal home, workplace, or travel patterns beyond what a user may expect from a simple store lookup.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference includes a concrete `create-order` example for a real commerce endpoint but does not instruct the agent to obtain explicit user confirmation immediately before invoking that tool. In an agent setting, this can lead to unintended real-world purchases if the model proceeds from browsing or price-checking directly into order creation, especially because the flow is framed as a normal tested sequence.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The order-creation tool accepts and transmits personal data such as name, phone number, and delivery address without any explicit confirmation or consent guard in this file. In an agent setting, this can lead to unintended sharing of sensitive personal data or accidental order placement if the model infers values or acts prematurely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Order cancellation is a destructive action with real-world consequences, yet the tool performs it directly with no explicit confirmation workflow in the file. In agent-driven use, ambiguous user input or prompt manipulation could trigger unwanted cancellations and possible financial or service disruption.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal