← 返回 Skills 市场
618
总下载
0
收藏
4
当前安装
5
版本数
在 OpenClaw 中安装
/install mcdonald-order
功能描述
McDonald's China assistant (麦当劳助手) for coupon management, delivery ordering, and nutrition planning. Use this skill when users explicitly mention McDonald's...
安全使用建议
Do not install blindly. Specific things to check before using or installing: 1) Source provenance — the package lists no homepage and the owner/publisher is unknown; prefer packages from trusted repositories. 2) Metadata mismatch — the registry metadata claims no required env vars or binaries but SKILL.md/README require MCD_TOKEN and execute_bash; ask the publisher to correct metadata. 3) Limit exposure — create a dedicated, limited-scope test token for this skill and rotate/revoke it after testing. 4) Avoid setting MCD_MCP_URL to anything other than the default unless you trust the endpoint; treat that variable as sensitive. 5) Prefer running the skill in a sandbox or container and monitor network traffic to confirm requests go only to mcp.mcd.cn. 6) Because execute_bash can run arbitrary commands, inspect SKILL.md/README carefully and only proceed if you understand and accept the risk. If you are uncertain, decline installation or require the publisher to provide verifiable source (repo link, checksum, and consistent metadata).
功能分析
Type: OpenClaw Skill
Name: mcdonald-order
Version: 1.0.5
The skill is classified as suspicious due to its reliance on the `execute_bash` tool, which grants the ability to execute arbitrary shell commands. While the `SKILL.md` and `SECURITY.md` documentation explicitly state that `execute_bash` is intended *only* for `curl` commands targeting `mcp.mcd.cn` and includes strong instructions for user confirmation on sensitive actions, the inherent power of `execute_bash` combined with handling of the sensitive `MCD_TOKEN` environment variable presents a significant vulnerability. There is no evidence of intentional malicious behavior such as data exfiltration to unauthorized domains or backdoor installation; instead, the documentation is remarkably transparent about the risks and mitigation strategies in `README.md` and `SECURITY.md`.
能力评估
Purpose & Capability
The SKILL.md describes a McDonald's ordering/coupon/nutrition assistant and the required artifacts (MCD_TOKEN and an MCP endpoint) are coherent with that purpose. However, the registry metadata at the top of the package claims no required environment variables or credentials while SKILL.md and README explicitly require MCD_TOKEN and the execute_bash tool — this metadata mismatch is a significant incoherence. Also README version (2.0.0) doesn't match registry version (1.0.5), further reducing trust in provenance.
Instruction Scope
Instructions stay within the McDonald's MCP API domain (curl calls to mcp.mcd.cn and described read/write flows). The skill requires user confirmation before write actions, and the SKILL.md/SECURITY.md explicitly warn not to log the token. However: (1) the skill relies on execute_bash to run curl, which can execute arbitrary shell commands if misused; (2) MCD_MCP_URL is overridable, so a compromised or misconfigured environment could point requests at an attacker-controlled endpoint and leak the token; and (3) because this is instruction-only there is no enforcement that only the described curl commands will be executed.
Install Mechanism
This is an instruction-only skill with no install spec or code to download, which minimizes disk-write/install risk. Nothing in the package auto-downloads or extracts external artifacts.
Credentials
The SKILL.md and README require a single sensitive credential (MCD_TOKEN) and optionally MCD_MCP_URL — that is proportionate for a service that must act on a user's McDonald's account. However, the registry metadata claims no required env vars, so the package metadata underreports sensitive requirements. Requiring execute_bash is functionally explainable (to call curl) but grants the ability to run arbitrary shell commands, raising risk for token exposure. The optional MCD_MCP_URL parameter also creates a plausible attack vector if set to a non-MCP host.
Persistence & Privilege
The skill does not request persistent privileges (always:false), no config paths are declared, and it does not claim to modify other skills or system-wide settings. There is no automatic installation or persistent agent-level privilege requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mcdonald-order - 安装完成后,直接呼叫该 Skill 的名称或使用
/mcdonald-order触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.5
- Added README.md and SECURITY.md documentation files.
- Improved transparency on skill usage, prerequisites, and security practices for all users.
- No changes to skill logic or APIs.
v1.0.4
- Added detailed descriptions for environment variables, including names, requirement status, and default values.
- Introduced documentation for the optional `MCD_MCP_URL` environment variable with default set to https://mcp.mcd.cn.
- No changes to features, flows, or functionality. Documentation accuracy for deployment improved.
v1.0.3
**Changelog for mcdonald-order v1.0.3**
- Security and user confirmation guidance added: now explicitly states never to log or expose `MCD_TOKEN`, and to require user confirmation before claiming coupons or creating orders.
- Clarified description: now only triggers when users explicitly mention McDonald's and want eligible actions, rather than any context.
- Emphasized price confirmation: price calculations must always be confirmed by the user before creating an order.
- Added security_notes under compatibility, summarizing handling of credentials and confirmation requirements.
- No code or tool changes; documentation and security guidance improved.
v1.0.1
**Expanded documentation and improved trigger guidance for McDonald's China assistant**
- Added detailed usage instructions, including explicit trigger conditions for every function.
- Outlined exact step-by-step workflows for coupon claiming, delivery ordering, nutrition planning, and order tracking.
- Clarified required data dependencies—e.g., address lookup must precede menu or order operations.
- Specified required output formats for nutrition info (table with all macros) and coupon lists.
- Improved error handling guidance for missing environment variables and API authentication failures.
- Restructured documentation so users and developers can more easily follow correct flows and integration practices.
v1.0.0
Initial release of 麦当劳助手 skill.
- 支持查询和领取优惠券、活动日历、餐品营养信息
- 可查/建外送地址与外送订单
- 支持查询门店可用券、餐品列表与详情
- 提供菜单、价格计算、订单查询等实用功能
- 需在 MCP 官网获取 API Token 配置使用
元数据
常见问题
麦当劳智能点餐助手 是什么?
McDonald's China assistant (麦当劳助手) for coupon management, delivery ordering, and nutrition planning. Use this skill when users explicitly mention McDonald's... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 618 次。
如何安装 麦当劳智能点餐助手?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mcdonald-order」即可一键安装,无需额外配置。
麦当劳智能点餐助手 是免费的吗?
是的,麦当劳智能点餐助手 完全免费(开源免费),可自由下载、安装和使用。
麦当劳智能点餐助手 支持哪些平台?
麦当劳智能点餐助手 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 麦当劳智能点餐助手?
由 lililiSir(@lililisir)开发并维护,当前版本 v1.0.5。
推荐 Skills