ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

麦当劳MCP自动化工具

v1.1.0

麦当劳MCP接口自动化工具,支持自动领券、查询门店库存、计算最优优惠组合、一键下单,解决麦当劳优惠券手动领取麻烦、库存查询不便的问题。

0· 135·0 current·0 all-time
by@winter1102
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description match the script's functionality (coupon receive, stock query, price calc). However the registry metadata declares no required environment variables while both SKILL.md and mcd-cli.sh require MCD_TOKEN; the script also uses other tools (openssl, bc) that are not declared. The skill therefore fails to declare the credentials and binaries it actually needs.
!
Instruction Scope
SKILL.md instructs users to capture the MCD_TOKEN via packet capture and to place the token in environment/cron jobs — both are sensitive operations. The docs and '避坑指南' contain guidance about JSON-RPC/tools/call but the script calls /v1/... endpoints (inconsistent). The script constructs signed requests and posts to https://mcp.mcd.cn only (no third‑party exfil endpoints), but instructions encourage storing tokens in cron which increases exposure.
Install Mechanism
There is no install spec (instruction-only skill) and a single bash script is included. This is lower install risk since nothing is downloaded at runtime, but included code still runs locally and should be reviewed before execution.
!
Credentials
The script requires a private MCD_TOKEN (and SKILL.md documents MCD_NOTIFY_URL, MCD_CITY, MCD_STORE_ID) yet the registry lists no required env vars. The script also uses a hard-coded signing secret string, which is sensitive and unusual to embed client-side. Missing declarations for openssl and bc increase the chance of runtime errors and undisclosed behavior.
Persistence & Privilege
always:false and no system config paths requested. The skill does not ask for permanent platform privileges. It does recommend adding a cron job (user action), which would store a token in a scheduler environment — that is a user-configured persistence decision, not an automated privilege escalation by the skill itself.
What to consider before installing
Do not run this script blindly. Before installing: (1) confirm the repository/source (homepage shows placeholders); prefer an official upstream. (2) Inspect the mcd-cli.sh locally — it requires MCD_TOKEN and shells out to openssl and bc (ensure these are installed and declared). (3) Do not paste long-lived tokens into publicly visible cron jobs or logs; use a secure secret store and rotate tokens frequently. (4) Be cautious about the SKILL.md suggestion to '抓包获取' (packet capture) — intercepting app traffic can expose other credentials and may violate terms. (5) Note the script embeds a signing secret — ask the author why a client secret is hard-coded. (6) If you still want to use it, run it in an isolated account/container, verify it only talks to the expected domain (https://mcp.mcd.cn), and avoid granting broader credentials. If any of these concerns are unacceptable or unexplained by the author, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk979eq1sybx0qhsn6ddyb12prs8336wm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq

SKILL.md

麦当劳MCP自动化工具

🍟 麦当劳接口自动化工具,自动领券、查库存、算优惠、一键下单。

功能特性

✅ 每日自动领取当日可用优惠券
✅ 查询附近任意门店的产品库存
✅ 自动计算最优优惠组合,最大化省钱
✅ 支持一键下单到店取餐
✅ 多账号管理,全家共用
✅ 优惠券过期提醒,不浪费任何优惠

环境要求

  • curl (默认系统自带)
  • jq (JSON解析工具,brew install jqapt install jq 安装)

快速开始

1. 获取Token

打开麦当劳App,抓包获取请求头中的MCD_TOKEN,或使用登录接口获取。

2. 配置Token

export MCD_TOKEN="你的MCD_TOKEN"

3. 常用命令

# 领取今日优惠券
./mcd-cli.sh coupon:receive

# 查询附近门店库存
./mcd-cli.sh store:stock --city "北京" --keyword "麦辣鸡腿堡"

# 计算最优优惠组合
./mcd-cli.sh order:calculate --items "麦辣鸡腿堡,薯条,可乐"

# 一键下单
./mcd-cli.sh order:place --store-id "12345" --items "麦辣鸡腿堡,薯条,可乐"

配置说明

环境变量说明默认值
MCD_TOKEN麦当劳接口Token必填
MCD_CITY默认城市自动定位
MCD_STORE_ID默认门店ID自动选择最近门店
MCD_NOTIFY_URL优惠提醒通知地址

避坑指南(实战总结)

  1. 接口地址正确格式:✅ 正确:POST到 https://mcp.mcd.cn/(根地址),使用JSON-RPC 2.0协议调用;❌ 错误:不要调用/v1/xxx这类RESTful路径,会返回404
  2. 调用方式正确格式:所有业务接口都通过 tools/call 方法调用,参数为工具名称和参数,不要直接调用业务路径
  3. 商品编码必查:下单前必须先调用 query-meals 获取真实商品编码和对应名称,禁止凭记忆猜编码,避免下错单
  4. 优惠券ID必查:优惠券ID从 query-my-couponsquery-store-coupons 获取,禁止直接填优惠券名称,会导致优惠无法使用
  5. 下单前置检查:创建订单前必须先调用 calculate-price 确认价格、商品、优惠是否正确,再提交订单
  6. Token有效期:用户账号Token有效期为24小时~7天,无需频繁刷新,返回401再重新获取
  7. 调用频率:接口调用间隔至少2秒,单日调用不超过200次,避免风控
  8. 风控处理:如果被限制访问,等待24小时自动解封,或更换账号
  9. 库存查询:部分三四线城市门店不支持库存查询,自动降级为仅显示优惠券

定时任务配置

每天早上8点自动领取优惠券:

0 8 * * * export MCD_TOKEN="你的Token" && /path/to/mcd-cli.sh coupon:receive

项目地址

GitHub: https://github.com/yourname/mcd-mcp 文档: https://docs.example.com/mcd-mcp

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…