ClawHub Finds 23 Plugins Squatting Its Official Namespaces

The scoping system that ClawHub uses to mark plugins as official -- similar in structure to npm's @owner/ namespace model -- turned out to be enforced inconsistently, and researchers found 23 code-executing plugins published under the registry's reserved @openclaw/ and @clawhub/ scopes by accounts with no verified connection to either organization, according to Help Net Security. Plugin names like @openclaw/security-gate, @openclaw/fiat-wallet, and @clawhub/aisa-twitter-api appeared in the same catalog alongside legitimate tools such as @openclaw/whatsapp, indistinguishable to a user treating the scope prefix as a trust signal.

The concern Manifold Security raises is not that malicious code was present. The firm's review found no planted malicious code in any version examined. The concern is what these plugins are authorized to do: execute code inside agent environments, handle autonomous payments, run host-level git and gh commands, export agent configuration, and connect to external APIs. That is a large surface area of trust to extend to an unverified publisher -- and an update to any of these plugins could introduce harmful behavior without warning.

ClawHub's catalog holds 1,508 plugins in total, of which 557 carry an @owner/ scope prefix, reportedly with ownership not fully verified across all of them. Manifold disclosed the issue on June 17 via GitHub's security advisory workflow. By June 19, ClawHub had unlisted the 23 most misleading plugins and added a formal namespace-claim dispute procedure allowing rightful owners to request staff review.

What the reporting does not address is whether any organizations had already installed these plugins before unlisting, or whether ClawHub has a mechanism to alert those users. The dispute process is reactive: a rightful namespace owner has to discover that a name was squatted and then contest it, which places the burden on the victim rather than the registry.

The broader signal for teams building on agent runtimes is that a namespace scope is not a verified guarantee -- it is a display convention that can be gamed if the registry does not enforce it at publish time. Registries that build proactive ownership verification into their publishing flow, rather than adding dispute mechanisms after the fact, will be in a stronger position as enterprise AI agent deployment scales.