📦 McDonald's MCP Automation — 麦当劳自动领券下单
v1.1.0麦当劳MCP接口自动化工具,自动领券、查库存、算最优优惠并一键下单,省去手动操作烦恼。
0· 215·0 当前·0 累计
by @winter1102下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
high confidenceThe skill largely does what its description says, but there are multiple inconsistencies and omissions (undeclared required credentials, undeclared binaries, hard-coded signing secret, misleading docs) that warrant caution before installation.
评估建议
Do not run this script blindly. Before installing: (1) confirm the repository/source (homepage shows placeholders); prefer an official upstream. (2) Inspect the mcd-cli.sh locally — it requires MCD_TOKEN and shells out to openssl and bc (ensure these are installed and declared). (3) Do not paste long-lived tokens into publicly visible cron jobs or logs; use a secure secret store and rotate tokens frequently. (4) Be cautious about the SKILL.md suggestion to '抓包获取' (packet capture) — intercepting ...详细分析 ▾
⚠ 用途与能力
Name/description match the script's functionality (coupon receive, stock query, price calc). However the registry metadata declares no required environment variables while both SKILL.md and mcd-cli.sh require MCD_TOKEN; the script also uses other tools (openssl, bc) that are not declared. The skill therefore fails to declare the credentials and binaries it actually needs.
⚠ 指令范围
SKILL.md instructs users to capture the MCD_TOKEN via packet capture and to place the token in environment/cron jobs — both are sensitive operations. The docs and '避坑指南' contain guidance about JSON-RPC/tools/call but the script calls /v1/... endpoints (inconsistent). The script constructs signed requests and posts to https://mcp.mcd.cn only (no third‑party exfil endpoints), but instructions encourage storing tokens in cron which increases exposure.
✓ 安装机制
There is no install spec (instruction-only skill) and a single bash script is included. This is lower install risk since nothing is downloaded at runtime, but included code still runs locally and should be reviewed before execution.
⚠ 凭证需求
The script requires a private MCD_TOKEN (and SKILL.md documents MCD_NOTIFY_URL, MCD_CITY, MCD_STORE_ID) yet the registry lists no required env vars. The script also uses a hard-coded signing secret string, which is sensitive and unusual to embed client-side. Missing declarations for openssl and bc increase the chance of runtime errors and undisclosed behavior.
✓ 持久化与权限
always:false and no system config paths requested. The skill does not ask for permanent platform privileges. It does recommend adding a cron job (user action), which would store a token in a scheduler environment — that is a user-configured persistence decision, not an automated privilege escalation by the skill itself.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/3/17
更新:新增实战避坑指南、修复正确的JSON-RPC调用流程、更新Token有效期为24h~7天、补充下单前必做检查步骤、修复商品编码错误问题
● 可疑
安装命令
点击复制官方npx clawhub@latest install mcd-mcp
镜像加速npx clawhub@latest install mcd-mcp --registry https://cn.longxiaskill.com