ClawHub
Back to skill
v1.0.0

mcd-cn

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

This skill is a disclosed McDonald’s coupon and nutrition helper that calls a remote service with a user token; users should protect the token and confirm coupon-claiming actions.

GuidanceBefore installing, make sure you trust the mcp.mcd.cn service and any configured MCD_MCP_URL. Keep MCD_TOKEN private, and have the agent show available coupons before using one-click coupon claiming.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
使用 exec 工具执行 curl 命令调用 MCP 服务

The skill relies on a local exec/curl command to call the remote API. This is central to the skill’s purpose and disclosed, but users should recognize that it uses command execution rather than a declared native integration.

User impactThe agent may run curl commands to contact the configured McDonald’s MCP service when handling relevant requests.
RecommendationKeep the endpoint and command structure unchanged, and avoid adding untrusted shell fragments or arguments.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
自动领取所有可用优惠券到账户。

The auto-bind-coupons tool changes the user’s account coupon state by claiming all available coupons. This matches the advertised coupon-claiming purpose, but it is still an account mutation.

User impactIf invoked, all available coupons may be bound to the user’s account.
RecommendationAsk the agent to list available coupons first and only claim coupons after clear user confirmation.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
用户需要在 MCP 官网注册并获取 API Token ... 设置环境变量 `MCD_TOKEN`

The skill requires a bearer token for account-specific actions. This is disclosed and expected for coupon lookup/claiming, but the token is a credential.

User impactAnyone with the token may be able to access or change coupon-related data through the MCP service.
RecommendationStore MCD_TOKEN securely, do not paste it into public chats or logs, and rotate it if it may have been exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
MCD_URL="${MCD_MCP_URL:-https://mcp.mcd.cn}"
MCD_AUTH="Authorization: Bearer ${MCD_TOKEN:-<YOUR_TOKEN>}"

Bearer-token requests are sent to the configured MCP URL. The default endpoint is disclosed, but changing MCD_MCP_URL would also change where the token is sent.

User impactA misconfigured or untrusted MCP URL could receive the user’s token-bearing requests.
RecommendationUse only the default or another endpoint you explicitly trust, and verify MCD_MCP_URL before use.