usage flags on generated keys are too powerful.
On a schleuder-generated OpenPGP certificate, the usage flags are set far too wide-open. In particular, i see the following permissions set:
pub rsa4096 2017-01-18 [SCEA] sub rsa4096 2017-01-18 [SEA]
That's "sign, certify, encrypt, authenticate" on the master, and "sign, encrypt, authenticate" on the subkey.
You do not want to use the same key for multiple purposes, especially not in an automated context where people can (for example) coax arbitrary signatures out of your signing-capable keys. if those same keys are sometimes used for encryption, it's possible that (with a crufty protocol) the message signature could be used to decrypt a different message that had been encrypted to that key.
I recommend that the primary key be SC-only, and that the subkey be E-only.