Subway Restaurant Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a restaurant-ordering prompt rather than malware, but it asks for WhatsApp and Google Sheets access while making strong safety claims that are not backed by included code or declared permissions.
Do not connect this directly to a production WhatsApp number or live order sheet without reviewing the actual integration code, credential scopes, and ThumbGate installation. Start with test credentials, a sandbox spreadsheet, human review for allergy or high-value orders, and clear monitoring/shutdown procedures.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A restaurant could rely on unverified safeguards for real customer orders, prices, or allergy-related requests.
The sales copy makes absolute safety and reliability claims for customer ordering. The supplied package is instruction-only with no code or install spec demonstrating those controls, so users could over-trust it for pricing, inventory, and allergen handling.
uses ThumbGate to ensure 100% accuracy during rush hour
Treat this as a prompt/template until the actual WhatsApp, Sheets, and ThumbGate implementation is reviewed and tested; avoid absolute safety claims in production.
Installing with production credentials could give the agent access to customer messages and business order sheets beyond what the registry metadata suggests.
The setup asks for Google Sheets service-account access and a WhatsApp API token, while the registry metadata declares no required environment variables and no primary credential. These permissions are high-impact because they can expose or modify business order data and send customer-facing messages.
Share the sheet with your OpenClaw service account. ... Add `WHATSAPP_API_TOKEN=your_token_here`.
Use least-privilege service accounts, test WhatsApp credentials, and a dedicated spreadsheet; require explicit documentation of token scope and environment variables before production use.
Incorrect parsing, pricing, or inventory interpretation could result in wrong orders being recorded or communicated to customers.
The agent is instructed to confirm orders and write transaction records. This is aligned with the ordering purpose, but it is a business-impacting workflow that should be bounded and tested.
Provide a summarized bill and estimated pickup time. ... Record all transactions to the `orders` sheet
Start in a sandbox sheet, require human approval for high-value or allergy-related orders, and audit order logs before enabling customer-facing automation.
Customer order histories and identifiers may remain in a shared spreadsheet longer than intended.
The workflow persistently stores customer identifiers and order details in a Google Sheet. That is expected for an ordering system, but retention, sharing, and access controls are not described.
Name Sheet 2 `Orders` (Columns: Timestamp, UserID, Items, Total, Status).
Limit spreadsheet sharing, define retention/deletion rules, and avoid storing payment data or unnecessary personal information.
A user may run an unreviewed or mismatched local tool while assuming it was covered by the skill metadata.
The setup depends on an external `thumbgate` command, but the registry lists no required binaries and there is no install spec. This is purpose-aligned, but users must verify the tool source and version themselves.
Run `thumbgate import thumbgate-rules.md`.
Install ThumbGate only from a trusted source, pin or document the expected version, and review the imported rules before use.
If misconfigured, the agent could continue accepting or responding to orders outside intended operating conditions.
The skill is marketed as a continuously running ordering agent. This is consistent with the restaurant-bot purpose, but long-running customer-facing agents need monitoring and a clear off switch.
24/7 Reliability: Runs on your Mac Mini or cloud without breaks.
Use store-hours controls, monitoring, rate limits, and an easy shutdown procedure before connecting a real WhatsApp number.