23 ClawHub Plugins Used Official-Looking Scopes to Impersonate Trusted OpenClaw Tools
6 min. read 
Published on
Security researchers found 23 code-executing ClawHub plugins that used official-looking @openclaw and @clawhub scopes even though unrelated third-party accounts published them.
The findings came from Manifold Security, which said the issue created a supply chain risk for AI agent users. The plugins looked like first-party tools because their names appeared under trusted organizational namespaces.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The issue matters because ClawHub plugins can run inside agent environments with real privileges. A developer installing a tool named under an official-looking scope could assume it came from OpenClaw or ClawHub, even when the publisher had no connection to either project.
What Happened on ClawHub
ClawHub is the public registry for OpenClaw skills and plugins. It lets users publish, search, install, and inspect agent tools, including native code plugins and bundle plugins.
The problem involved scope squatting. In software registries, a scope is the prefix before a package name, such as @openclaw. Users often treat that prefix as a provenance signal because it suggests who owns or publishes the package.
Manifold found that ClawHub had documented the expected ownership rule, but did not consistently enforce it across the registry. As a result, outside accounts were able to publish plugins under scopes that looked official.
| Issue | Details |
|---|---|
| Plugins identified | 23 code-executing plugins |
| Scopes affected | @openclaw and @clawhub |
| Publisher issue | Unrelated accounts published under official-looking namespaces |
| Malware finding | No outright malicious code found in the reviewed versions |
| Registry response | Plugins were unlisted and a namespace dispute process was added |
Why the Plugins Looked Trusted
Some plugin names looked like native or platform-level tools. Examples included @openclaw/security-gate, @openclaw/fiat-wallet, @openclaw/agent-exporter, and @clawhub/aisa-twitter-api.
According to Help Net Security, the issue affected official-looking scopes on a registry whose plugins run with OpenClaw, Claude, and other agent tools. That made the naming problem more serious than a simple branding dispute.
Manifold said all 23 plugins executed code inside the agent environment. Several had sensitive capabilities, including autonomous payment activity, host-level git commands, agent configuration export, or connections to outside APIs.
- Official-looking scopes made third-party plugins appear more trustworthy.
- Code execution increased the risk if a later update added harmful behavior.
- Automated scans did not catch every suspicious case.
- Developers could install these tools through scripts without checking the real publisher.
No Malware Found, but the Risk Was Real
Manifoldโs report said six of the 23 plugins were flagged as suspicious by ClawHubโs own scanner. The remaining 17 were marked clean.
The researchers manually reviewed all 23 plugins and said they did not find outright malicious code in the reviewed versions. However, they warned that the trusted namespace could help a bad actor gain installs first and add malicious behavior later through an update.
This is why the incident still counts as a supply chain problem. The flaw was not only about what the current plugin versions did. It was about whether users could trust the registry naming model.
| Plugin example | Reported owner | Scan status |
|---|---|---|
| @clawhub/prediction-market-arbitrage | bibaofeng | Clean |
| @clawhub/aisa-twitter-api | bibaofeng | Suspicious |
| @openclaw/security-gate | dsda56180 | Clean |
| @openclaw/agent-exporter | jxh0229 | Suspicious |
| @openclaw/fiat-wallet | justiceessielp | Suspicious |
| @openclaw/openclaw-host-git-workflow | teodorarg | Suspicious |
| @openclaw/codex-claw | 100yenadmin | Suspicious |
ClawHub Responded After Disclosure
Manifold reported the issue to ClawHub on June 17, 2026, through GitHubโs security advisory workflow. The researchers also sent a courtesy email the next day.
After the report, ClawHub added an Org and Namespace Claims process. The page lets rightful owners ask staff to review a namespace that appears claimed, reserved, misleading, or disputed.
By June 19, ClawHub had unlisted the misleading plugins from public view. The Help Net Security report also noted that the registry changed its handling after the disclosure.
Why AI Agent Registries Need Stronger Controls
AI agent plugins are not ordinary browser add-ons or simple text packages. They can connect to APIs, read project files, run local commands, and interact with developer tools.
The ClawHub repository describes the registry as open by default, with GitHub-account-based publishing, automated checks, scan summaries, reporting, and moderation. Open registries can grow quickly, but they also need strong identity checks around names that users treat as official.
OpenClawโs own security roadmap says the platform can read files, run commands, install plugins, talk to the network, and act on a real machine for a real user. That power makes plugin provenance a core security issue.
- Registries should reserve official organization scopes before abuse happens.
- Package pages should show verified ownership clearly.
- Automated scans should not replace publisher verification.
- Users should inspect publisher accounts before installing agent plugins.
- Teams should pin plugin versions and review updates before allowing them in sensitive workspaces.
What Developers Should Do Now
Developers using ClawHub or similar AI agent registries should review installed plugins and check whether each publisher matches the expected owner. Names that look official should not be trusted automatically.
Teams should also audit plugins that can run commands, export settings, process payments, or connect to external services. These capabilities create higher risk even when the current code does not look malicious.
The new namespace claim process gives organizations a way to request review when a scope, brand, package name, or owner handle appears misleading. Other AI plugin registries should consider similar controls before attackers turn naming gaps into real compromises.
OpenClawโs security guidance also makes clear that plugin systems need visible boundaries, auditability, and safer defaults. The ClawHub incident shows why those controls must include ownership verification, not only malware scanning.
FAQ
Researchers found 23 code-executing ClawHub plugins published under official-looking @openclaw and @clawhub scopes by unrelated third-party accounts. The plugins appeared more trustworthy because their names looked like first-party OpenClaw or ClawHub tools.
No outright malicious code was found in the 23 reviewed plugin versions, according to Manifold Security. The main risk was impersonation through trusted-looking scopes and the possibility that a future update could add harmful behavior.
Scope squatting happens when a publisher uses a namespace or package prefix that appears to belong to another project, company, or organization. In this case, unrelated accounts published plugins under @openclaw and @clawhub scopes.
AI agent plugins can run commands, access files, call external APIs, export configuration, or interact with developer tools. If users trust a misleading plugin, it could gain powerful access inside an agent environment.
Developers should review installed plugins, confirm that publisher accounts match the expected organization, remove tools they cannot verify, pin trusted versions, and inspect updates before allowing code-executing plugins in sensitive workspaces.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages