Security audit

mcd-mcp-skills

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed McDonald's account integration, but it can create orders, add addresses, claim coupons, and redeem loyalty points using the user's token.

Install only if you trust this publisher and the McDonald's MCP service with your account token. Before running mutating actions, explicitly confirm the delivery address, phone number, items, coupons, total price, and any loyalty point deduction; avoid letting an agent automatically claim coupons, create orders, add addresses, or redeem points from ambiguous prompts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly requires sensitive capabilities—environment-based token access, MCP integration, and outbound network/API actions—but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: reviewers or runtime controls may not realize the skill can access credentials and perform account-affecting actions such as ordering, coupon claiming, and points redemption. In this context, the risk is higher than a read-only integration because the documented actions can spend points, modify addresses, and initiate orders on behalf of a user.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger conditions are very broad, covering many common McDonald's-related intents such as food info, ordering, address management, coupons, points, and campaigns without clear activation boundaries. That increases the chance of accidental invocation in unrelated or ambiguous conversations, which is especially risky here because the skill exposes account-linked and state-changing operations rather than only informational queries. The skill context makes this more dangerous because mistaken activation could lead to sensitive data access or progression toward purchases and redemptions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation exposes a state-changing tool that creates a delivery order and returns a payment link, but it does not clearly require an explicit user confirmation step immediately before invoking it. In an agent setting, this increases the risk of unauthorized purchases or accidental order placement if the assistant infers intent from prior context rather than receiving a fresh, unambiguous confirmation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The auto-bind-coupons tool performs a bulk account mutation by automatically claiming all available coupons, but the documentation does not warn that it changes user account state or that consent should be obtained first. This can lead to unintended account actions, auditability issues, or user confusion when an agent triggers the action without a clear approval step.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The address-creation path sends clearly sensitive personal data including street address, latitude/longitude, contact name, and phone number to a remote service, but the CLI provides no explicit warning or consent checkpoint at the moment of action. In an agent/skill context, users may not realize that invoking this command transmits PII off-host to a third-party endpoint, which creates privacy and compliance risk even though the transmission appears functionally necessary.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The create-order flow performs an externally impactful action—placing a delivery order—without any confirmation step, dry-run mode, or warning that the operation may commit a real purchase. In agent-driven usage, ambiguous user prompts or prompt injection into higher layers could cause unintended orders to be placed with financial and operational consequences.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The points-redemption command directly invokes product redemption without warning that it may irreversibly consume loyalty points or create an order. Because point balances are user assets, executing this action without confirmation increases the risk of accidental loss through user error, automation mistakes, or adversarial prompt manipulation upstream.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.