Subway Agent (90% OFF - Launch Special)
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: subway-restaurant-agent Version: 1.0.2 The skill bundle describes a legitimate restaurant ordering agent that integrates WhatsApp with Google Sheets for menu management and order logging. It utilizes a safety framework called 'ThumbGate' to enforce business logic and prevent AI hallucinations (defined in SKILL.md and thumbgate-rules.md). While the setup-guide.md includes an affiliate link for ElevenLabs and an npx command to initialize the safety tool, these actions are consistent with the stated purpose of the agent and do not show signs of malicious intent, data exfiltration, or unauthorized access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could confirm or record customer orders through business channels before the restaurant has fully validated fulfillment, staffing, payment, or cancellation handling.
This sets a broad autonomous trigger for customer-facing WhatsApp interactions. Combined with order confirmation and Google Sheets writes, it creates high-impact business actions without clearly defined operator approval, rollback, or containment boundaries.
When to Trigger: Any message from a customer on WhatsApp that sounds like an order, menu question, or inquiry.
Use a test WhatsApp number and test Sheet first, require explicit customer confirmation and preferably operator approval for live orders, and define clear cancellation, payment, and fulfillment handoff rules.
A restaurant operator may overtrust the agent in production because the listing suggests safety guarantees that are not demonstrated by the included artifacts.
The artifacts make strong safety and authority claims, but the submitted package is instruction-only and the enforcement depends on an external ThumbGate setup not reviewed here.
Uses **ThumbGate** so it physically cannot repeat common expensive mistakes ... This skill was built by someone who actually ran the mobile app team at Subway corporate. It works.
Treat the safety claims as unverified until ThumbGate, the WhatsApp integration, and the Sheets workflow have been independently reviewed and tested under realistic failure cases.
If configured too broadly, the agent or service account could access or modify more business/customer data than intended.
The skill requires delegated access to a Google Sheet and a WhatsApp number. This is expected for the stated purpose, but it is account authority that should be narrowly scoped.
Create the Google Sheet above and share it with your OpenClaw service account. ... Connect your WhatsApp number in OpenClaw settings.
Use a dedicated Google Sheet, a least-privilege service account, and a dedicated WhatsApp number or sandbox until production behavior is validated.
Customer phone numbers and order history could be exposed to anyone with access to the Sheet or reused beyond the original ordering task.
The skill stores customer identifiers and order details in a persistent external spreadsheet. This is disclosed and relevant to restaurant operations, but retention, access control, and reuse boundaries are not specified.
Log the order to Google Sheets with: Timestamp, Customer Name/Phone, Items, Total, Upsell Success (Yes/No), Notes.
Limit Sheet sharing, document retention rules, avoid unnecessary notes containing sensitive data, and ensure the workflow complies with applicable privacy requirements.
Running the command could execute third-party setup code that was not reviewed as part of this skill.
The setup uses an unpinned external npx package that is not included in the reviewed artifacts. This is a user-directed setup step and appears central to the stated safety layer, but its provenance is not verifiable from the package.
Install ThumbGate (if not already): `npx thumbgate init --agent openclaw`
Verify the ThumbGate package source and version, review its code or checksum if possible, and run setup in a sandbox before using it with production accounts.