A new security challenge has emerged within the AI agent community, characterized by a subtle yet severe threat. Researchers have identified 23 unauthorized plugins within the ClawHub registry, published under official organizational scopes without proper authorization from ClawHub or its overseeing entity, OpenClaw.
Unauthorized Plugins Mimic Trusted Tools
These rogue plugins masquerade as legitimate tools by using trusted namespace prefixes. Although they appear to be first-party resources, they are submitted by unrelated third-party accounts. ClawHub serves as the primary repository for OpenClaw-compatible plugins, supporting integration with AI coding agents such as Claude Code, Cursor, and Codex.
The registry, which hosts over 1,500 plugins, employs a naming convention similar to npm’s, where the @owner/ prefix designates the publisher. However, ClawHub’s enforcement of this trust model lacked consistency, allowing unauthorized accounts to publish under reserved organizational scopes without challenge.
Supply Chain Risk and ClawHub’s Response
Manifold Security analysts uncovered the unauthorized plugins and shared their findings with Cyber Security News. These plugins used prefixes like @openclaw/ and @clawhub/, mirroring those of legitimate ClawHub tools. Developers installing these plugins might falsely believe they originate from a trustworthy source.
All identified plugins execute code within the agent environment, with some performing high-privilege operations such as payment processing and connecting to external APIs. This creates a credible supply chain risk, as unsuspecting developers might not question their legitimacy. Following the report, ClawHub acted swiftly, delisting the plugins and establishing a dispute process for unauthorized namespace usage.
Need for Enhanced Security Measures
The core issue revolves around “scope squatting,” where a plugin is falsely published under an organizational namespace. Unlike systems like npm, where only verified members can publish under a registered scope, ClawHub failed to consistently enforce this rule. Among the 1,508 plugins cataloged, 557 use an @owner/ prefix, not all of which have verified ownership.
Some plugins, like @openclaw/security-gate, passed ClawHub’s own security scans despite being unauthorized, illustrating the need for more rigorous checks. Manifold’s review found no malicious code, but future updates could potentially introduce harmful behavior.
This incident highlights the broader issue of rapid growth in the AI ecosystem outpacing security measures. Plugins carrying unauthorized official badges pose a significant risk, as they can make unauthorized changes to AI agents without detection.
For developers, verifying the authorship of plugins before installation is crucial. Registry systems should enforce scope ownership at the publication stage, not relying solely on audits post-publication. ClawHub’s recent actions, including unlisting compromised plugins and implementing a namespace claims process, serve as a potential model for other AI plugin registries.
