by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to be a straightforward MCP client, but before installing you should: 1) Confirm the registry metadata is corrected to declare MCD_MCP_TOKEN as a required credential (and ideally mark it as the primary credential). 2) Treat MCD_MCP_TOKEN as sensitive — it can access addresses, orders, coupons, and account info; only provide a token you control and understand its scope. 3) Verify the endpoints (open.mcd.cn and mcp.mcd.cn) are legitimate and that you obtained the token from the ...详细分析 ▾
ℹ 用途与能力
The name, description, SKILL.md and the included Python script all consistently implement a McDonald's (MCP) API client for coupons, orders, addresses and points. The requested functionality (menu, coupons, create orders) aligns with the stated purpose.
✓ 指令范围
SKILL.md instructs the agent to use the provided script to call MCP endpoints over HTTPS and to set MCD_MCP_TOKEN. The runtime instructions are narrowly scoped to MCP operations and do not ask the agent to read unrelated files or contact unknown endpoints.
✓ 安装机制
This is instruction-only with a small included helper script; there is no installer, downloaded archive, or external package fetch. Nothing is written to disk by an installer step beyond running the script itself.
⚠ 凭证需求
The SKILL.md and script require an environment variable MCD_MCP_TOKEN for authorization, but the registry metadata lists no required env vars or primary credential. That mismatch is a concerning omission because the token grants access to sensitive account operations (addresses, orders, coupons).
✓ 持久化与权限
The skill is not always-enabled and does not request persistent system-level privileges. It does not modify other skills or agent-wide configuration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/11
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install mcdonalds
镜像加速npx clawhub@latest install mcdonalds --registry https://cn.longxiaskill.com