Mcdonald - 麦当劳助手
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only McDonald’s helper is purpose-aligned, but it uses an API token and curl calls that can read or claim coupons in the user’s account.
Before installing, verify that https://mcp.mcd.cn is the endpoint you intend to use, keep MCD_TOKEN private, and approve any coupon-claiming action only when you actually want the agent to change your account’s coupons.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user asks for one-click coupon claiming, the agent may modify the user’s McDonald’s coupon account by claiming coupons.
The skill documents an account-changing tool that claims all available coupons. This fits the coupon-assistant purpose and is tied to explicit trigger phrases, but it still changes account state.
### 2. 一键领取优惠券 (auto-bind-coupons) 自动领取所有可用优惠券到账户。
Confirm account-changing actions before running them, especially commands that claim all available coupons.
Anyone or any tool with the token could potentially access coupon-related account functions available through the MCP service.
The skill requires a bearer token for account-specific MCP calls. This is expected for the stated service, but the token grants delegated access and is not declared in the registry requirements.
用户需要在 MCP 官网注册并获取 API Token: - 访问 https://mcp.mcd.cn 获取 Token - 设置环境变量 `MCD_TOKEN`
Only use a token obtained from a trusted official source, keep it private, and rotate or revoke it if it may have been exposed.
If the endpoint is changed to an untrusted server, the user’s token could be sent outside the intended service.
The authorization token is sent to a configurable remote MCP endpoint. This is normal for the integration, but an untrusted MCD_MCP_URL would receive the token.
MCD_URL="${MCD_MCP_URL:-https://mcp.mcd.cn}"
MCD_AUTH="Authorization: Bearer ${MCD_TOKEN:-<YOUR_TOKEN>}"Leave MCD_MCP_URL at the trusted default unless you intentionally use a verified alternative endpoint.
Users have less provenance information to verify who maintains the skill or service instructions.
The registry metadata does not provide a source repository or homepage, while the skill relies on an external MCP service and token setup.
Source: unknown Homepage: none
Verify the skill publisher and MCP endpoint independently before providing an account token.