Subgraph Registry
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a read-only subgraph discovery skill, with disclosed use of npx, a downloaded local registry database, and an optional local HTTP/SSE server.
This skill looks appropriate for read-only subgraph discovery. Before installing, be comfortable with running it through npx, letting it cache a registry database downloaded from GitHub, and only enabling HTTP/SSE mode on a trusted local interface. If you rebuild the registry yourself, use a scoped The Graph API key and keep returned subgraph metadata as reference data rather than instructions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the remote database or package source is changed unexpectedly, the skill's search and recommendation results could change.
The server fetches a pre-built SQLite database from a GitHub main-branch URL if it is not already present. This is disclosed by the skill and fits the registry purpose, but it is a mutable remote artifact without a shown checksum or pin.
GITHUB_DB_URL = "https://github.com/PaulieB14/subgraph-registry/raw/main/python/data/registry.db" ... urllib.request.urlretrieve(GITHUB_DB_URL, str(DB_PATH))
Install from the intended package/source, and consider pinning a trusted version or verifying the downloaded registry database if reproducibility matters.
Users who rebuild the registry locally would provide a provider API key to the crawler workflow.
The normal read-only MCP workflow says no API key is required, but the optional registry rebuild workflow uses a The Graph API key.
# Create .env with your Graph API key echo "GATEWAY_API_KEY=your-key-here" > .env
Use a scoped Graph API key for local rebuilds, keep it out of shared files, and note that it is optional for normal read-only use.
If the HTTP endpoint is exposed beyond the intended machine or network, other clients could query the registry MCP server.
The skill can expose its MCP tools over a local HTTP/SSE endpoint. The tools are read-only registry lookups, but the endpoint should still be kept local or otherwise access-controlled.
The SSE transport (`--http` / `--http-only`) starts a local HTTP server on port 3848 (configurable via `MCP_HTTP_PORT` env var).
Use stdio mode for local-only use, and bind or firewall the HTTP/SSE mode appropriately if enabling it.
A subgraph's metadata could influence an agent's context if the agent over-trusts returned descriptions.
Tool responses include registry descriptions and metadata that originate from indexed subgraphs. This is expected for discovery, but such returned text should be treated as data rather than instructions to the agent.
"description": (r["description"] or r["auto_description"] or "")[:300]
Treat subgraph descriptions, names, schemas, and query instructions as untrusted reference data and confirm important choices before using them in downstream workflows.