Back to skill

Security audit

McDonald's China

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward McDonald's China coupon CLI skill, but one documented command can claim coupons on your account.

Install only if you trust the Homebrew tap and the mcd-cn CLI. Treat MCDCN_MCP_TOKEN like a password, avoid committing it in .env files, and run auto-bind-coupons only when you intentionally want coupons claimed on your McDonald's China account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description explicitly advertises 'auto-claiming' coupons, which is an account-affecting action, but it provides no warning that using the command will modify the user's McDonald's account state. In an agent setting, this increases the risk of unintended actions being taken on behalf of a user without clear confirmation or informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The command list includes `mcd-cn auto-bind-coupons` alongside read-only lookup commands without any label indicating that it changes account state. This can mislead users or automation into treating it as a harmless query, resulting in unintended coupon claims or other account modifications.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.