ClawHub

麦当劳点餐skill

Security checks across malware telemetry and agentic risk

Overview

This McDonald's ordering skill is mostly purpose-aligned, but it handles account-linked ordering and payment artifacts with persistent local writes that deserve manual review before installation.

Install only if you trust the publisher and are comfortable giving the skill a McDonald's MCP token. Review any change to ~/.mcporter/mcporter.json, avoid using it on shared machines, confirm address/items/price before order creation, and delete /tmp/mcd_pay_*.png payment QR files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
These instructions direct the agent to modify ~/.mcporter/mcporter.json, which changes global local tooling configuration outside the immediate task of placing an order. Altering shared MCP registration can persist beyond the session, affect other skills or workflows, and introduces risk if the endpoint or auth configuration is wrong, stale, or later abused.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill asks the agent to write user-provided meal preferences into a local config.json file as persistent state, which extends beyond transient ordering and tracking. Persistent local writes can surprise users, create privacy concerns, and be abused to store unintended content or alter future behavior without sufficiently explicit consent.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script converts a payment URL into a QR code and writes it to a predictable path under /tmp. Although related to ordering, persisting payment-linked artifacts in a shared temporary directory can expose payment session data to other local users/processes and leaves residual sensitive files without lifecycle controls.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad everyday expressions such as wanting to eat McDonald's, which can cause the skill to activate in contexts where the user did not intend ordering actions. Overbroad activation increases the chance of unintended address queries, menu lookups, or account-linked operations being initiated without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to write user meal choices into local config.json but does not clearly notify the user that this data will be stored persistently on disk. Lack of explicit persistence notice undermines informed consent and can expose preference data to other local processes or future sessions unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code saves a PNG containing a live payment URL to /tmp without warning the user that sensitive payment material is being persisted locally. Lack of disclosure and retention controls increases the chance of unintended access, replay, or leakage through shared-host inspection and log/debug workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal