mcd-cn
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a disclosed McDonald’s coupon and nutrition helper that calls a remote service with a user token; users should protect the token and confirm coupon-claiming actions.
Before installing, make sure you trust the mcp.mcd.cn service and any configured MCD_MCP_URL. Keep MCD_TOKEN private, and have the agent show available coupons before using one-click coupon claiming.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run curl commands to contact the configured McDonald’s MCP service when handling relevant requests.
The skill relies on a local exec/curl command to call the remote API. This is central to the skill’s purpose and disclosed, but users should recognize that it uses command execution rather than a declared native integration.
使用 exec 工具执行 curl 命令调用 MCP 服务
Keep the endpoint and command structure unchanged, and avoid adding untrusted shell fragments or arguments.
If invoked, all available coupons may be bound to the user’s account.
The auto-bind-coupons tool changes the user’s account coupon state by claiming all available coupons. This matches the advertised coupon-claiming purpose, but it is still an account mutation.
自动领取所有可用优惠券到账户。
Ask the agent to list available coupons first and only claim coupons after clear user confirmation.
Anyone with the token may be able to access or change coupon-related data through the MCP service.
The skill requires a bearer token for account-specific actions. This is disclosed and expected for coupon lookup/claiming, but the token is a credential.
用户需要在 MCP 官网注册并获取 API Token ... 设置环境变量 `MCD_TOKEN`
Store MCD_TOKEN securely, do not paste it into public chats or logs, and rotate it if it may have been exposed.
A misconfigured or untrusted MCP URL could receive the user’s token-bearing requests.
Bearer-token requests are sent to the configured MCP URL. The default endpoint is disclosed, but changing MCD_MCP_URL would also change where the token is sent.
MCD_URL="${MCD_MCP_URL:-https://mcp.mcd.cn}"
MCD_AUTH="Authorization: Bearer ${MCD_TOKEN:-<YOUR_TOKEN>}"Use only the default or another endpoint you explicitly trust, and verify MCD_MCP_URL before use.