Mcdonald - 麦当劳助手
v1.0.1麦当劳助手 - 查询/领取优惠券、活动日历、餐品营养信息、门店查询
⭐ 2· 2.4k·15 current·15 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md describes calling an MCP API (mcp.mcd.cn) to list/claim coupons, query nutrition, and check events — that aligns with the skill name and description. However, the skill requires an API token (MCD_TOKEN) and an optional MCD_MCP_URL in its instructions, but the registry metadata claims no required environment variables or binaries. The missing declaration of the token/binary requirement is an inconsistency.
Instruction Scope
The instructions are explicit and scoped to calling the MCP JSON-RPC endpoints via curl (tools/call). They do not instruct reading arbitrary local files or other unrelated services. The only external communications go to the documented MCP host (mcp.mcd.cn) and are coherent with the stated purpose.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest risk from install mechanisms (nothing is downloaded or written to disk by an installer).
Credentials
The SKILL.md requires a bearer token (MCD_TOKEN) to call user-account actions (including auto-bind-coupons). Requesting a token for the MCP service is reasonable for this functionality, but the registry metadata does not declare any required credentials. Additionally, the instructions assume availability of an exec/curl mechanism but the registry lists no required binaries. The omission reduces transparency about what secrets/binaries the skill needs.
Persistence & Privilege
The skill does not request persistent privileges (always is false) and does not include install steps that modify other skills or global agent settings. Autonomous invocation (disable-model-invocation: false) is default and not by itself concerning here.
What to consider before installing
Before installing, verify the source and update metadata: SKILL.md requires an MCD_TOKEN (and implicitly curl/exec) but the registry lists none — ask the publisher to declare required env vars and binaries. Treat your MCD_TOKEN like a password: do not paste it in public chat, and understand the token can be used to perform account actions (e.g., auto-bind-coupons). Confirm that the MCP host (https://mcp.mcd.cn) is legitimate for your region and consider creating a token with limited scope if possible. If you need stronger assurance, request the publisher's homepage or source code so you can audit how the token is used; otherwise avoid granting tokens to untrusted/unknown skills.Like a lobster shell, security has layers — review code before you run it.
latestvk971wk6yfed3rd8zxsc5cq9r5n80n3bc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🍔 Clawdis