We find ourselves at an early stage of the project where there is not a simple way to verify the legitimacy of a subgraph, yet. ENS names can help you in this just as much as verifying the publisher’s ETH address. Simlarly, subgraph developers may choose to publicly announce the deployment of their subgraph.
In the subgraph’s code, there are links to the GitHub as metadata. You can get the deployed assets to verify the subgraph by catting the subgraph deployment ID on IPFS. For example, Livepeer’s subgraph address is 0xb31aa1f312595af94f184c5791dc03d6af12fbff, which you could then match against the source in their repository.
Your goal as a Curator is to assess which subgraphs are going to get query fees. You can evaluate the subgraph itself, but that doesn’t tell you who’s going to use it or if the actual project team is going to deploy their own subgraph later on.