← Back to Skills Marketplace

麦当劳智能点餐助手

Name: 麦当劳智能点餐助手
Author: lililisir

by lililiSir · GitHub ↗ · v1.0.5

cross-platform ⚠ suspicious

618

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install mcdonald-order

Description

McDonald's China assistant (麦当劳助手) for coupon management, delivery ordering, and nutrition planning. Use this skill when users explicitly mention McDonald's...

Usage Guidance

Do not install blindly. Specific things to check before using or installing: 1) Source provenance — the package lists no homepage and the owner/publisher is unknown; prefer packages from trusted repositories. 2) Metadata mismatch — the registry metadata claims no required env vars or binaries but SKILL.md/README require MCD_TOKEN and execute_bash; ask the publisher to correct metadata. 3) Limit exposure — create a dedicated, limited-scope test token for this skill and rotate/revoke it after testing. 4) Avoid setting MCD_MCP_URL to anything other than the default unless you trust the endpoint; treat that variable as sensitive. 5) Prefer running the skill in a sandbox or container and monitor network traffic to confirm requests go only to mcp.mcd.cn. 6) Because execute_bash can run arbitrary commands, inspect SKILL.md/README carefully and only proceed if you understand and accept the risk. If you are uncertain, decline installation or require the publisher to provide verifiable source (repo link, checksum, and consistent metadata).

Capability Analysis

Type: OpenClaw Skill Name: mcdonald-order Version: 1.0.5 The skill is classified as suspicious due to its reliance on the `execute_bash` tool, which grants the ability to execute arbitrary shell commands. While the `SKILL.md` and `SECURITY.md` documentation explicitly state that `execute_bash` is intended *only* for `curl` commands targeting `mcp.mcd.cn` and includes strong instructions for user confirmation on sensitive actions, the inherent power of `execute_bash` combined with handling of the sensitive `MCD_TOKEN` environment variable presents a significant vulnerability. There is no evidence of intentional malicious behavior such as data exfiltration to unauthorized domains or backdoor installation; instead, the documentation is remarkably transparent about the risks and mitigation strategies in `README.md` and `SECURITY.md`.

Capability Assessment

⚠ Purpose & Capability

The SKILL.md describes a McDonald's ordering/coupon/nutrition assistant and the required artifacts (MCD_TOKEN and an MCP endpoint) are coherent with that purpose. However, the registry metadata at the top of the package claims no required environment variables or credentials while SKILL.md and README explicitly require MCD_TOKEN and the execute_bash tool — this metadata mismatch is a significant incoherence. Also README version (2.0.0) doesn't match registry version (1.0.5), further reducing trust in provenance.

ℹ Instruction Scope

Instructions stay within the McDonald's MCP API domain (curl calls to mcp.mcd.cn and described read/write flows). The skill requires user confirmation before write actions, and the SKILL.md/SECURITY.md explicitly warn not to log the token. However: (1) the skill relies on execute_bash to run curl, which can execute arbitrary shell commands if misused; (2) MCD_MCP_URL is overridable, so a compromised or misconfigured environment could point requests at an attacker-controlled endpoint and leak the token; and (3) because this is instruction-only there is no enforcement that only the described curl commands will be executed.

✓ Install Mechanism

This is an instruction-only skill with no install spec or code to download, which minimizes disk-write/install risk. Nothing in the package auto-downloads or extracts external artifacts.

⚠ Credentials

The SKILL.md and README require a single sensitive credential (MCD_TOKEN) and optionally MCD_MCP_URL — that is proportionate for a service that must act on a user's McDonald's account. However, the registry metadata claims no required env vars, so the package metadata underreports sensitive requirements. Requiring execute_bash is functionally explainable (to call curl) but grants the ability to run arbitrary shell commands, raising risk for token exposure. The optional MCD_MCP_URL parameter also creates a plausible attack vector if set to a non-MCP host.

✓ Persistence & Privilege

The skill does not request persistent privileges (always:false), no config paths are declared, and it does not claim to modify other skills or system-wide settings. There is no automatic installation or persistent agent-level privilege requested.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install mcdonald-order
After installation, invoke the skill by name or use /mcdonald-order
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.5

- Added README.md and SECURITY.md documentation files. - Improved transparency on skill usage, prerequisites, and security practices for all users. - No changes to skill logic or APIs.

v1.0.4

- Added detailed descriptions for environment variables, including names, requirement status, and default values. - Introduced documentation for the optional `MCD_MCP_URL` environment variable with default set to https://mcp.mcd.cn. - No changes to features, flows, or functionality. Documentation accuracy for deployment improved.

v1.0.3

**Changelog for mcdonald-order v1.0.3** - Security and user confirmation guidance added: now explicitly states never to log or expose `MCD_TOKEN`, and to require user confirmation before claiming coupons or creating orders. - Clarified description: now only triggers when users explicitly mention McDonald's and want eligible actions, rather than any context. - Emphasized price confirmation: price calculations must always be confirmed by the user before creating an order. - Added security_notes under compatibility, summarizing handling of credentials and confirmation requirements. - No code or tool changes; documentation and security guidance improved.

v1.0.1

**Expanded documentation and improved trigger guidance for McDonald's China assistant** - Added detailed usage instructions, including explicit trigger conditions for every function. - Outlined exact step-by-step workflows for coupon claiming, delivery ordering, nutrition planning, and order tracking. - Clarified required data dependencies—e.g., address lookup must precede menu or order operations. - Specified required output formats for nutrition info (table with all macros) and coupon lists. - Improved error handling guidance for missing environment variables and API authentication failures. - Restructured documentation so users and developers can more easily follow correct flows and integration practices.

v1.0.0

Initial release of 麦当劳助手 skill. - 支持查询和领取优惠券、活动日历、餐品营养信息 - 可查/建外送地址与外送订单 - 支持查询门店可用券、餐品列表与详情 - 提供菜单、价格计算、订单查询等实用功能 - 需在 MCP 官网获取 API Token 配置使用

Metadata

Slug mcdonald-order

Version 1.0.5

License —

All-time Installs 4

Active Installs 4

Total Versions 5

Frequently Asked Questions

What is 麦当劳智能点餐助手?

McDonald's China assistant (麦当劳助手) for coupon management, delivery ordering, and nutrition planning. Use this skill when users explicitly mention McDonald's... It is an AI Agent Skill for Claude Code / OpenClaw, with 618 downloads so far.

How do I install 麦当劳智能点餐助手?

Run "/install mcdonald-order" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 麦当劳智能点餐助手 free?

Yes, 麦当劳智能点餐助手 is completely free (open-source). You can download, install and use it at no cost.

Which platforms does 麦当劳智能点餐助手 support?

麦当劳智能点餐助手 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 麦当劳智能点餐助手?

It is built and maintained by lililiSir (@lililisir); the current version is v1.0.5.

More Skills