Manifold Security identified 23 plugins on ClawHub’s registry that were published under official @openclaw/ and @clawhub/ organizational scopes by accounts with no affiliation to either organization. The plugins ran executable code inside agent environments, according to Manifold’s research report published June 22. ClawHub unlisted all 23 plugins and added a namespace dispute process within two days of disclosure.
How Scope Squatting Works
ClawHub is OpenClaw’s primary plugin and skill registry, indexing over 1,500 plugins. It uses npm-style scoping where the @owner/ prefix on a plugin name signals who published it. ClawHub publishes its own genuine plugins under @openclaw/ (including @openclaw/whatsapp, @openclaw/codex, and @openclaw/matrix), making that scope a first-party trust signal.
The registry’s own publishing documentation explicitly states that a plugin’s scope must match its publishing owner, according to Cyber Security News. In practice, ClawHub did not enforce that rule comprehensively. Of 1,508 plugins in the catalog, 557 carry an @owner/ scope, but not all have verified ownership. The 23 flagged plugins belonged to 15 distinct unaffiliated accounts.
What the Plugins Could Do
Plugin names like @openclaw/security-gate, @openclaw/fiat-wallet, and @clawhub/aisa-twitter-api appeared to be platform-native tools. All 23 executed code inside the agent environment. Several performed high-privilege actions: autonomous payment processing, host-level git commands, agent configuration exports, and connections to external APIs, according to Manifold’s analysis.
ClawHub’s built-in security scanner flagged six of the 23 as suspicious. The remaining 17 passed as clean. Manifold noted that @openclaw/security-gate, a security-review plugin, cleared the registry’s own audit despite not belonging to OpenClaw.
Manifold’s manual review found no planted malicious code in any version examined. The researchers emphasized that future updates to any of these plugins could introduce harmful behavior without warning, and that the impersonation of high-privilege plugin types under a trusted scope was itself the primary risk.
Disclosure Timeline
Manifold reported the issue to ClawHub on June 17, 2026 through GitHub’s security advisory workflow, followed by a courtesy email on June 18. By June 19, ClawHub had unlisted all 23 misleading plugins and added a formal dispute process for reporting unauthorized namespace usage, according to Manifold’s report.
The npm Parallel, With Higher Stakes
The technique Manifold calls “scope squatting” mirrors a well-documented pattern in software package registries. On npm, only verified members of an organization can publish under its scope. ClawHub documented the same rule but enforced it inconsistently.
The difference is what runs on the other end. npm packages execute in build pipelines and runtimes. ClawHub plugins execute inside AI agents that hold credentials, access file systems, make API calls, and in some cases process payments autonomously. A compromised plugin in an agent environment has access to everything the agent does.
Other Claude plugin registries like claude-plugins.dev derive ownership from GitHub repositories directly, sidestepping the scope enforcement problem entirely, Manifold noted. ClawHub, by minting its own scope layer, took on the enforcement burden and missed it on 23 plugins.