ClawHub

mcd-cn

v1.0.0

麦当劳助手 - 查询/领取优惠券、活动日历、餐品营养信息、门店查询

0· 1.2k·0 current·0 all-time
byhiyu@hi-yu·duplicate of @hi-yu/mcdonald
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (McDonald's helper: coupons, calendar, nutrition, store lookup) aligns with the operations in SKILL.md (curl calls to mcp.mcd.cn). However, the registry metadata reported 'Required env vars: none' while the SKILL.md requires an API token (MCD_TOKEN); that mismatch is unexpected and should be explained.
Instruction Scope
Instructions are explicit and limited to POSTing JSON-RPC calls to the MCP endpoint (mcp.mcd.cn) via curl and parsing responses. They do not instruct reading unrelated files or system state. One action (auto-bind-coupons) is state-changing (will attempt to claim coupons into the user account) — this is within the described domain but requires explicit user consent because it performs account actions.
Install Mechanism
No install spec and no code files are provided (instruction-only). This minimizes on-disk risk; the skill relies on curl being available at runtime.
!
Credentials
The SKILL.md requires an API credential (MCD_TOKEN) and an optional MCD_MCP_URL, which are proportionate to the stated purpose. However, the skill registry metadata claims no required environment variables — that inconsistency is concerning because a required credential is not declared in the registry. Users should be warned before supplying tokens.
Persistence & Privilege
The skill does not request permanent/always-on presence and does not modify other skills or system-wide settings. Autonomous invocation is permitted by default but not combined with other privilege escalations here.
What to consider before installing
This skill appears to do what it says (call McDonald's MCP API) but has two issues you should consider before installing: (1) SKILL.md requires you to provide an MCD_TOKEN for your account, yet the registry metadata did not declare any required env vars — confirm with the publisher why the registry omits this. (2) The 'auto-bind-coupons' tool is state-changing and will perform actions in your account if the skill is allowed to run; do not enable autonomous execution of state-changing commands without explicit user consent. Additional recommendations: only provide the minimum-scoped token the service supports (avoid sharing full-account credentials), verify the MCP endpoint (https://mcp.mcd.cn) is legitimate, avoid pasting the token into public chats, consider requiring manual confirmation for coupon-claiming operations, and be mindful of rate limits and privacy implications.

Like a lobster shell, security has layers — review code before you run it.

latestvk97302q6gt1k389d32kra93hrh80j1qm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🍔 Clawdis

Comments