ClawHub

麦当劳MCP服务集成,支持点餐、优惠券、麦麦商城、积分兑换等功能。

v1.0.0

麦当劳MCP服务集成,支持点餐、优惠券、麦麦商城、积分兑换等功能。需要用户先在 https://open.mcd.cn 申请MCP Token。

0· 194·0 current·0 all-time
by@jessiondai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description promise MCP integration and the included script + SKILL.md implement exactly that. Minor inconsistency: the skill requires an MCP Token at runtime (per SKILL.md and the CLI script) but the registry metadata does not declare any required env var or primary credential.
Instruction Scope
SKILL.md instructs only HTTP POSTs to the documented MCP base URL and to provide the MCP Token; it does not ask the agent to read unrelated files, secrets, or send data to other endpoints.
Install Mechanism
No install spec or external downloads. The package is instruction-only plus a small included Node.js script; nothing is written to disk by an installer during install-time.
Credentials
The only secret the skill needs is the MCP Token, which is proportionate to the purpose. However, that credential is not declared in the skill metadata (primaryEnv/required env), and the provided script expects the token as a CLI argument (which can leak in process lists).
Persistence & Privilege
always is false, no config paths or system-wide changes are requested, and the skill does not attempt to persist or modify other skills or agent settings.
Assessment
This skill appears to do what it says: call McDonald's MCP HTTP APIs using a user-supplied MCP Token. Before installing, consider: (1) only provide a token obtained from the official open.mcd.cn console; (2) prefer supplying the token securely (environment variable or secret store) rather than as a CLI argument to avoid exposure in process lists; (3) review the included scripts yourself if you are concerned about network requests—they call only https://mcp.mcd.cn endpoints; (4) avoid giving broader credentials (AWS, GitHub, etc.) since they are not needed; and (5) if you allow autonomous agent invocation, be aware the agent could call the MCP endpoints without further prompts — limit the token's scope/validity if possible. If you want higher assurance, ask the publisher for a declared primaryEnv entry for the MCP token and/or an updated script that reads the token from a secure source instead of CLI args.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eqtfz1v3fngcz97mhv1aje58340m3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments