Mcdonald
PassAudited by ClawScan on May 1, 2026.
Overview
This McDonald’s helper is purpose-aligned, but it uses a McDonald’s API token and curl calls to an external MCP service, so users should verify the endpoint and approve account-changing coupon actions.
Before installing, confirm that https://mcp.mcd.cn is the service you intend to use, keep MCD_TOKEN private, and ask the agent to confirm before running any action that claims coupons or changes your account.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can send API requests from the user’s environment, including requests that affect coupon handling.
The skill directs the agent to use shell/curl for API calls. This is central to the skill’s purpose, but raw command execution should stay limited to the documented MCP requests.
使用 exec 工具执行 curl 命令调用 MCP 服务
Keep calls limited to the documented McDonald’s MCP endpoint and require explicit user confirmation before account-changing actions such as one-click coupon claiming.
Anyone who obtains the token, or any untrusted endpoint that receives it, may be able to access the user’s McDonald’s coupon data or claim coupons.
The skill requires an account API token and uses it as a Bearer token for MCP requests. This is expected for account-specific coupon operations, but it grants access to user coupon/account functions.
设置环境变量 `MCD_TOKEN` 或在调用时替换 `<YOUR_TOKEN>`
Use only a token obtained from the intended official service, keep it private, revoke it if exposed, and avoid placing it in shared logs or public messages.
Users may not notice the token requirement until reading the skill instructions.
The registry metadata does not declare a credential requirement even though SKILL.md documents MCD_TOKEN. The setup requirement is disclosed in the skill text, so this is a metadata/provenance gap rather than hidden behavior.
Required env vars: none; Primary credential: none
The publisher should declare MCD_TOKEN and the external MCP endpoint in metadata; users should inspect the instructions before installing and verify the service destination.