Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes exactly the advertised capabilities (querying/claiming coupons, nutrition, store info) and requires an MCP API token and an MCP URL, which are appropriate for the stated purpose. However the registry metadata claims no required environment variables and no required binaries while the runtime instructions explicitly require MCD_TOKEN (sensitive credential) and use curl — a binary that must exist. That mismatch is an incoherence that should be resolved.
Instruction Scope
Instructions are narrowly scoped to calling the MCP JSON-RPC endpoints via curl and parsing responses. They only reference MCD_TOKEN and optional MCD_MCP_URL. One notable behavior: the skill includes an 'auto-bind-coupons' action which actually performs account-altering operations (claims coupons). This is within the advertised functionality but is potentially sensitive and should require explicit user consent before executing.
Install Mechanism
There is no install spec (instruction-only), which is low risk for arbitrary code install. Still, the runtime relies on curl being available; the skill does not declare that dependency in metadata. No downloads or external installers are present.
Credentials
The SKILL.md requires a sensitive credential (MCD_TOKEN) and optionally MCD_MCP_URL, which are reasonable for interacting with a private API. But the published registry metadata did not declare any required env vars or primary credential — an inconsistency. Requiring a bearer token that can perform state-changing actions (claiming coupons) is proportionate for the feature set only if the token's scope is limited and the user is warned and consents; the skill's metadata should explicitly declare this credential requirement.
Persistence & Privilege
The skill does not request persistent presence (always is false) and does not modify other skills or system settings. It relies on runtime exec calls but does not ask for elevated or persistent privileges.
What to consider before installing
Before installing: (1) Verify the skill's source — the registry shows no homepage or publisher information, which makes authenticity harder to confirm. (2) Expect to provide an MCD_TOKEN (a bearer token) — only supply a token if you trust the MCP service and understand the token's scope; prefer a read-limited or short-lived token if possible. (3) The skill uses curl but metadata doesn't declare that dependency — ensure curl is available. (4) The 'auto-bind-coupons' tool will perform account actions; require explicit user confirmation before the skill performs any coupon-claiming. (5) Ask the publisher to fix metadata inconsistencies (declare required env var(s) and required binary) and to provide a homepage or documentation link so you can verify the endpoint (https://mcp.mcd.cn) is legitimate. If you can't verify the source or token scope, treat the skill as higher risk and avoid providing long-lived production tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk976en24een2f3zehv1p3q2xd180jn1j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🍔 Clawdis