v0.3.0

Subgraph Registry

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 3:20 PM.

Analysis

The skill appears to be a mostly read-only subgraph lookup tool, but it uses an optional Graph API key and auto-downloads a mutable registry database from GitHub without those risks being clearly bounded in the skill metadata.

GuidanceThis looks like a legitimate subgraph discovery MCP server, but install it carefully: pin the npm package version, avoid exposing the HTTP/SSE endpoint publicly, understand whether you need to provide a Graph API key, and prefer a pinned or checksummed registry database rather than an auto-download from GitHub main.

Findings (7)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceMediumStatusNote

python/mcp_server.py

"description": (r["description"] or r["auto_description"] or "")[:300]

The MCP tool returns subgraph descriptions sourced from registry data into the agent context. This is expected for discovery, but those descriptions are third-party content and should not be treated as instructions.

User impactA malicious or misleading subgraph description could influence an agent if the agent treats returned text as instructions instead of data.

RecommendationTreat registry descriptions as untrusted data and keep user/developer instructions higher priority than tool output text.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

python/mcp_server.py

GITHUB_DB_URL = "https://github.com/PaulieB14/subgraph-registry/raw/main/python/data/registry.db"

The server downloads a registry database from the mutable GitHub main branch if the local database is missing, with no checksum or pinned release artifact shown.

User impactThe data used for recommendations could change outside the packaged skill and without integrity verification.

RecommendationPin the database to a release asset or commit hash, publish checksums/signatures, and document the provenance of the downloaded registry.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

npx subgraph-registry-mcp

The install instruction runs an npm package as an MCP server. This is expected for the tool, but it is still local code execution via npm.

User impactInstalling or launching the MCP server executes package code and its dependencies on the user's machine.

RecommendationPin the npm version when installing, review the package source, and run it with the least privileges needed.

Cascading Failures

SeverityLowConfidenceHighStatusNote

python/scheduler.py

while True:
        try:
            ...
            await run_incremental()

The scheduler can repeatedly rebuild the registry on an interval. This is purpose-aligned, but bad upstream data could be propagated into the persistent registry until corrected.

User impactIncorrect or poisoned registry updates could affect repeated recommendations across sessions.

RecommendationUse checks, backups, and reviewable update logs for scheduled registry refreshes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

python/crawler.py

GATEWAY_API_KEY = os.environ.get("GATEWAY_API_KEY", "")

The code reads an API key from the environment or .env flow, while the supplied metadata declares no required env vars and no primary credential. The key is used to construct The Graph gateway URL.

User impactA user may provide an API key without the skill metadata making that credential use clear.

RecommendationDeclare GATEWAY_API_KEY as an optional credential/env var, explain exactly where it is sent, and document that normal lookup use does not require it if that is intended.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

python/registry.py

REGISTRY_FILE.write_text(json.dumps(registry, indent=2, default=str))

The registry builder persists crawled and classified external subgraph data for reuse. Persistent external metadata can influence later agent recommendations.

User impactIf upstream metadata is inaccurate or manipulative, it can persist in the local registry and appear in future tool results.

RecommendationKeep registry data provenance visible, refresh from trusted sources, and avoid treating stored descriptions as trusted instructions.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

README.md

SSE only (for remote/server deployments)

The README documents HTTP/SSE MCP transport for remote agents, but the provided documentation does not describe authentication or origin controls. The exposed tools appear read-only.

User impactIf the HTTP/SSE endpoint is exposed beyond localhost, other clients may be able to call the registry tools.

RecommendationKeep the HTTP/SSE server bound to localhost or protect it with network controls, authentication, and clear deployment guidance.