My Mcdonald
v1.0.0麦当劳助手 - 查询/领取优惠券、活动日历、餐品营养信息、门店查询
⭐ 0· 1.2k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's described purpose (query/claim coupons, nutrition, calendar, store lookup) aligns with the curl-based MCP API calls in SKILL.md. However, the registry metadata claims no required environment variables while SKILL.md explicitly requires MCD_TOKEN (and optionally MCD_MCP_URL). That metadata mismatch is an important inconsistency (the token is appropriate for the stated purpose, but it should have been declared).
Instruction Scope
The instructions are explicit: run curl POSTs to https://mcp.mcd.cn (or MCD_MCP_URL) using Authorization: Bearer $MCD_TOKEN and parse JSON-RPC results. They do not instruct the agent to read unrelated files or system credentials. One caveat: the skill includes an auto-bind-coupons tool that will modify the user account (claim coupons) — this is within the claimed scope but is a state-changing operation that should require user consent.
Install Mechanism
No install spec or code files — instruction-only skill. This is lower risk because nothing is written to disk by the skill package itself.
Credentials
SKILL.md requires an API token (MCD_TOKEN) which is proportionate to calling a user-scoped McDonald's API. But the registry metadata lists no required env vars, creating an inconsistency. The token is a sensitive credential and the skill would have direct capability to act on the user's account (including claiming coupons). No other unrelated credentials are requested.
Persistence & Privilege
always:false (normal). Model invocation is enabled (default), so the agent could autonomously call the MCP endpoints. Combined with the auto-bind-coupons action, that means the skill could perform account-altering operations automatically unless you configure the agent to require confirmation — recommend requiring explicit user confirmation for write operations.
What to consider before installing
What to consider before installing:
- Source unknown: The skill has no homepage and an unknown owner — treat it as unvetted. Verify the MCP endpoint (https://mcp.mcd.cn) is legitimate before providing any token.
- Token required but not declared in metadata: SKILL.md expects MCD_TOKEN (and optional MCD_MCP_URL), yet the registry metadata listed no required env vars. That mismatch is suspicious; assume the skill will need your MCD_TOKEN to operate.
- Sensitive capability: With your MCD_TOKEN the skill can perform state-changing actions (auto-bind-coupons) against your account. Only grant a token you control, and prefer a limited-scope or revocable token if possible.
- Operational safety: Configure the agent to ask for explicit user confirmation before running the "auto-bind-coupons" or any action that modifies your account. Consider allowing read-only calls (list coupons, nutrition) first and test behavior.
- Token handling: Never paste tokens into public chats. Store MCD_TOKEN in a secure place and rotate/revoke it if you stop using the skill or see unexpected activity.
- Rate limits & privacy: The skill warns about rate limits; avoid automated high-frequency polling. Review what personal data the MCP API returns and whether you are comfortable sharing it with the agent.
If you need higher assurance, ask the skill author for a homepage/source repo, a declared list of required env vars in the registry metadata, and documentation of token scopes and safety controls.Like a lobster shell, security has layers — review code before you run it.
latestvk97b42gndyksc0tdav6pmanda180kgm0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🍔 Clawdis