麦当劳智能点餐助手
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s McDonald’s ordering purpose is coherent, but it requires a McDonald’s account token and shell/API authority that are under-declared and tied to an unverified source and configurable endpoint.
Only install this if you trust the publisher and can verify the source. Use a dedicated/revocable McDonald's API token if possible, do not set MCD_MCP_URL to anything except the trusted official endpoint, review the curl commands before use, and require explicit confirmation before claiming coupons or creating orders.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install without realizing the skill needs a sensitive account token and can perform account actions such as claiming coupons or creating orders.
The registry metadata does not declare a credential requirement, but the skill requires an account token that can access McDonald's account operations, addresses, coupons, and ordering flows.
metadata: "Required env vars: none" and "Primary credential: none"; SKILL.md: "MCD_TOKEN (required) - API authentication token"; README.md: "API Token (MCD_TOKEN) - Access to your McDonald's account"
Declare MCD_TOKEN as a primary credential/capability, document exact account scopes, use a dedicated or revocable token where possible, and keep explicit user confirmation for all write actions.
If the skill were modified or invoked unsafely, shell access could run commands beyond the intended API calls.
Shell access is broad, but the artifacts use it for purpose-aligned curl calls and include confirmation gates for order creation.
"Required Tools: execute_bash" and "All tools are invoked via curl to the MCP endpoint"; delivery flow says "Wait for user confirmation" and "Create order - Call create-order only after user confirms price"
Review generated shell commands, restrict execution to the documented curl pattern when possible, and require confirmation before coupon claims, coupon use, or order creation.
Because this skill asks for a token and shell access, an unverified or repackaged copy could abuse the token or change the shell commands.
The package provenance is not verifiable from the supplied metadata, and the README's trusted-source guidance/version information does not line up with the registry metadata.
metadata: "Source: unknown", "Homepage: none", "Version: 1.0.5"; README.md: "Only install from trusted sources (official Anthropic repository)" and "版本: 2.0.0"
Install only from a verified publisher/source, provide a real homepage or repository, align package versions, and publish checksums or signatures for integrity.
If MCD_MCP_URL is set to an untrusted or compromised endpoint, the user's McDonald's token and account-related API data could be sent there.
The bearer token is sent to a configurable MCP endpoint, while the security documentation claims communication is limited to mcp.mcd.cn.
SKILL.md: "curl -s -X POST \"${MCD_MCP_URL:-https://mcp.mcd.cn}\"" with "Authorization: Bearer ${MCD_TOKEN}"; SECURITY.md: "Only communicates with `mcp.mcd.cn`"Pin or allowlist the official endpoint, clearly warn users about any custom endpoint, and do not set MCD_MCP_URL unless the endpoint is trusted.