← Back to Skills Marketplace

麦当劳MCP自动化工具

Name: 麦当劳MCP自动化工具
Author: winter1102

by winter1102 · GitHub ↗ · v1.1.0 · MIT-0

cross-platform ⚠ suspicious

271

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install mcd-mcp

Description

麦当劳MCP接口自动化工具，支持自动领券、查询门店库存、计算最优优惠组合、一键下单，解决麦当劳优惠券手动领取麻烦、库存查询不便的问题。

Usage Guidance

Do not run this script blindly. Before installing: (1) confirm the repository/source (homepage shows placeholders); prefer an official upstream. (2) Inspect the mcd-cli.sh locally — it requires MCD_TOKEN and shells out to openssl and bc (ensure these are installed and declared). (3) Do not paste long-lived tokens into publicly visible cron jobs or logs; use a secure secret store and rotate tokens frequently. (4) Be cautious about the SKILL.md suggestion to '抓包获取' (packet capture) — intercepting app traffic can expose other credentials and may violate terms. (5) Note the script embeds a signing secret — ask the author why a client secret is hard-coded. (6) If you still want to use it, run it in an isolated account/container, verify it only talks to the expected domain (https://mcp.mcd.cn), and avoid granting broader credentials. If any of these concerns are unacceptable or unexplained by the author, do not install.

Capability Analysis

Type: OpenClaw Skill Name: mcd-mcp Version: 1.1.0 The skill bundle contains a critical shell injection vulnerability in `mcd-cli.sh` because user-provided inputs (such as city names or keywords) are passed unsanitized into a `curl` command, potentially allowing arbitrary command execution. Furthermore, there is a major discrepancy between the `SKILL.md` instructions, which claim the API uses JSON-RPC 2.0 and a `tools/call` method, and the actual `mcd-cli.sh` script, which uses REST-like endpoints (e.g., `/v1/coupon/receive`). While the script targets a legitimate domain (mcp.mcd.cn) and uses a known signature salt, the combination of RCE risk and contradictory instructions makes the bundle unsafe for use.

Capability Assessment

⚠ Purpose & Capability

Name/description match the script's functionality (coupon receive, stock query, price calc). However the registry metadata declares no required environment variables while both SKILL.md and mcd-cli.sh require MCD_TOKEN; the script also uses other tools (openssl, bc) that are not declared. The skill therefore fails to declare the credentials and binaries it actually needs.

⚠ Instruction Scope

SKILL.md instructs users to capture the MCD_TOKEN via packet capture and to place the token in environment/cron jobs — both are sensitive operations. The docs and '避坑指南' contain guidance about JSON-RPC/tools/call but the script calls /v1/... endpoints (inconsistent). The script constructs signed requests and posts to https://mcp.mcd.cn only (no third‑party exfil endpoints), but instructions encourage storing tokens in cron which increases exposure.

✓ Install Mechanism

There is no install spec (instruction-only skill) and a single bash script is included. This is lower install risk since nothing is downloaded at runtime, but included code still runs locally and should be reviewed before execution.

⚠ Credentials

The script requires a private MCD_TOKEN (and SKILL.md documents MCD_NOTIFY_URL, MCD_CITY, MCD_STORE_ID) yet the registry lists no required env vars. The script also uses a hard-coded signing secret string, which is sensitive and unusual to embed client-side. Missing declarations for openssl and bc increase the chance of runtime errors and undisclosed behavior.

✓ Persistence & Privilege

always:false and no system config paths requested. The skill does not ask for permanent platform privileges. It does recommend adding a cron job (user action), which would store a token in a scheduler environment — that is a user-configured persistence decision, not an automated privilege escalation by the skill itself.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install mcd-mcp
After installation, invoke the skill by name or use /mcd-mcp
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.1.0

更新：新增实战避坑指南、修复正确的JSON-RPC调用流程、更新Token有效期为24h~7天、补充下单前必做检查步骤、修复商品编码错误问题

v1.0.0

Initial release: 支持自动领券、查询门店库存、计算最优优惠组合，自动处理风控和Rate Limit问题

Metadata

Slug mcd-mcp

Version 1.1.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is 麦当劳MCP自动化工具?

麦当劳MCP接口自动化工具，支持自动领券、查询门店库存、计算最优优惠组合、一键下单，解决麦当劳优惠券手动领取麻烦、库存查询不便的问题。 It is an AI Agent Skill for Claude Code / OpenClaw, with 271 downloads so far.

How do I install 麦当劳MCP自动化工具?

Run "/install mcd-mcp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 麦当劳MCP自动化工具 free?

Yes, 麦当劳MCP自动化工具 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 麦当劳MCP自动化工具 support?

麦当劳MCP自动化工具 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 麦当劳MCP自动化工具?

It is built and maintained by winter1102 (@winter1102); the current version is v1.1.0.

More Skills