A recent security investigation has uncovered a significant supply chain vulnerability within ClawHub, the primary plugin registry for the OpenClaw AI agent ecosystem. Researchers identified 23 plugins published under official organizational scopes without proper authorization, effectively allowing these plugins to masquerade as legitimate, first-party tools.
ClawHub serves as the central repository for plugins and skills compatible with OpenClaw, an open-source AI agent platform. It supports Claude-compatible plugin bundles that integrate with AI coding agents like Claude Code, Cursor, and Codex. The registry employs a scoping system similar to npm, where the ‘@owner/’ prefix in a plugin’s name indicates its publisher. However, inconsistencies in enforcing this trust model permitted unauthorized third-party accounts to publish plugins under reserved organizational scopes.
Analysts at Manifold Security identified all 23 unauthorized plugins and reported their findings. These plugins utilized prefixes such as ‘@openclaw/’ and ‘@clawhub/’, identical to those used by ClawHub for its official tools like ‘@openclaw/whatsapp’ and ‘@openclaw/codex’. This naming convention led developers to believe they were installing plugins directly from the official source.
All 23 flagged plugins executed code within the agent environment, with several performing high-privilege actions. These actions included autonomous payment processing, executing host-level git commands, exporting agent configurations, and connecting to external APIs. Under the guise of an official-looking scope, these capabilities posed a credible supply chain risk that developers might not scrutinize.
The timeline of events unfolded rapidly. Manifold reported the issue to ClawHub on June 17, 2026, through GitHub’s security advisory workflow, followed by a courtesy email the next day. By June 19, ClawHub had unlisted all 23 misleading plugins and implemented a formal dispute process for reporting unauthorized namespace usage.
The core issue, termed “scope squatting,” involves publishing a plugin under an organizational namespace that the publisher does not own. In systems like npm, this practice is automatically prevented, as only verified members of an organization can publish under its registered scope. While ClawHub documented a similar rule in its publishing guidelines, enforcement was inconsistent across its catalog.
Out of 1,508 plugins in the catalog, 557 carried an ‘@owner/’ prefix, but not all had verified ownership. The 23 identified plugins belonged to 15 distinct accounts, with some accounts responsible for multiple plugins. Names like ‘@openclaw/security-gate’, ‘@openclaw/fiat-wallet’, and ‘@clawhub/aisa-twitter-api’ sounded like native, platform-level tools, deepening the deception for users browsing or scripting installs.
Six of the 23 plugins were flagged as suspicious by ClawHub’s internal scanner, but the remaining 17 passed as clean, highlighting the need for more robust verification processes.
This incident underscores the critical importance of stringent namespace verification and enforcement in plugin registries. As AI agent ecosystems continue to grow, ensuring the integrity of their supply chains becomes paramount. Developers are advised to exercise caution when installing plugins, verifying the authenticity of their sources, and staying informed about potential security vulnerabilities within their development environments.
