The biggest disadvantage is that once you have such a login API, it is very easy to just send the link around without thinking about it.
I have experience with that myself from a school project with a similar way to login. People started to send the links via email (which are unencrypted!), something they wouldn’t have done with username/password combinations.
Sending login URLs via email is generally fine, but there is one very important piece to this puzzle: The link must absolutely only work once. But for a way to login to your Kirby site, that’s not useful at all.
So the conclusion is: Having such a way to login is completely fine from a security standpoint as long as you are the only one who uses it by bookmarking the link etc.
Once other people get to use it, it can be pretty bad.
To make this hash secure by any means, you need to sign it, because it is very, very, very easy to just fake the MD5 hash if you know how it’s structured.
Depending on the secret string, the MD5 might even be in some rainbow tables, which means that it’s easy to extract the secret string and therefore easy to build your own hash.
You could use something like openssl_sign for the signing process. The local keyserver would sign the current date with a private key and the Kirby site would verify the resulting string using the public key. You don’t need to include a secret string when signing because the private key is the secret string.
Also make sure to include the year, month and day when signing to prevent key re-use on every following day.