A supply-chain weak point in ClawHub’s plugin registry that allowed third-party packages to squat beneath organizational scopes and inherit first‑occasion credibility.
In a catalog evaluation Manifold discovered 23 code‑executing plugins revealed beneath the @openclaw/ and @clawhub/ scopes by accounts that don’t have any verified relationship to both group.
As a result of ClawHub’s registry didn’t persistently implement its documented rule tying a plugin’s scope to its verified proprietor, unaffiliated publishers had been capable of current plugins as in the event that they had been official OpenClaw integrations a belief failure with actual operational threat.
Scope prefixes similar to @proprietor/ are a provenance sign acquainted from npm and different package deal registries: they point out the account answerable for publishing and, by extension, the extent of belief the artifact deserves.
ClawHub adopted the identical mannequin for OpenClaw-compatible plugins and publishes real first‑occasion integrations beneath @openclaw (for instance, @openclaw/whatsapp and @openclaw/codex).
The consequence: plugins named @openclaw/security-gate, @openclaw/fiat-wallet and @clawhub/aisa-twitter-api appeared to shoppers as official, whereas their publishers had been unrelated accounts.
Archive snapshots of those listings stay obtainable and illustrate how a URL or set up command similar to openclaw plugins set up clawhub:@clawhub/prediction-market may be misinterpret as pulling an endorsed integration.
In keeping with Manifold’s evaluation, confirmed that 557 of the 1,508 plugins in ClawHub’s catalog carried an @proprietor/ scope, however not all scopes had been possession‑verified.
The fast hazard isn’t that the precise packages Manifold reviewed contained malware; after guide inspection none contained clearly malicious payloads.
ClawHub Scope Squatting
The better concern is impersonation: these plugins execute code inside brokers and carry out delicate actions autonomous funds, host‑stage git and gh instructions, exporting agent configuration, and egress to 3rd‑occasion APIs.
The npm package deal @microsoft/microsoft-graph-client sits beneath the @microsoft scope, owned by the corporate. A developer pulling that package deal may be fairly assured the artifact comes from Microsoft, as a result of npm enforces org scopes: solely members of the @microsoft org.
When such capabilities run beneath a scope that customers assume is first‑occasion, the scope itself turns into a pressure multiplier for future abuse.
A malicious actor needn’t plant a payload within the unique model; gaining the identical deceptive provenance is sufficient to trick operators into putting in privileged plugins.
ClawHub’s personal publishing documentation had lengthy acknowledged the safety that npm enforces the package deal scope should match the chosen publish proprietor however the registry failed to use that test comprehensively to org scopes.
Manifold reported the problem to ClawHub on June 17 through GitHub’s safety advisory workflow and adopted up by e-mail.
ClawHub responded by including a namespace‑declare dispute process and unlisting essentially the most deceptive plugins from public view by June 19, with public documentation up to date to explain how rightful house owners can request employees evaluation.
This incident is a reminder that registries that mint their very own scope layers tackle accountability for imposing provenance.
Some registries sidestep the chance by deriving proprietor id immediately from GitHub repos, the place possession and publishing rights are already constrained.
The place a registry introduces scoped namespaces, rigorous verification, an automatic enforcement test at publish time, and a quick dispute and takedown course of are minimal necessities.
As AI brokers and their provide chains proliferate, the plugin floor grows with them. Manifold’s ongoing work together with a public provide‑chain index and runtime detection capabilities highlights the necessity for runtime monitoring and provenance visibility in order that what a plugin claims aligns with what it really does inside brokers.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most well-liked Supply in Google.
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
