Subway Agent Lite
PassAudited by ClawScan on May 7, 2026.
Overview
This appears to be a lightweight demo ordering skill, but its mentioned WhatsApp and Google Sheets data flows are not documented in detail.
This skill does not include code or an installer in the supplied artifacts, and there is no evidence of malicious behavior. If you use it, verify how WhatsApp access and Google Sheets logging are implemented, restrict permissions to a dedicated account or sheet, and make sure customer/order data handling matches your privacy and business requirements.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may need permission to write to a Google Sheet if this advertised feature is actually used.
Writing to Google Sheets would normally require delegated Google account or sheet permissions, while the provided metadata declares no primary credential or required environment variables. No misuse is shown, but users should understand what account access is needed.
Direct logging to Google Sheets.
Grant the least privilege possible, such as access to a single dedicated order log sheet, and avoid broad Google Drive or account-wide permissions.
Customer names, phone numbers, order details, or other business data could be stored outside the chat environment if the logging feature is enabled.
The skill describes customer/order interactions over WhatsApp and storage in Google Sheets, which are external service data flows. The artifacts do not specify what fields are logged, retention, sheet sharing, or customer consent.
Basic WhatsApp ordering agent for sandwich shops... Direct logging to Google Sheets.
Before use, confirm exactly what data is logged, who can access the sheet, how long records are retained, and whether customers are informed.