ClawHub Faces Supply-Chain Vulnerabilities in Plugin Registry
A recent analysis highlights a significant vulnerability within ClawHub’s plugin registry, revealing how systemic weaknesses allowed unauthorized third-party packages to masquerade under legitimate organizational scopes. This issue not only undermines the integrity of ClawHub’s offerings but also poses a broader risk within the supply-chain ecosystem of software plugins.
During a meticulous catalog review conducted by Manifold, researchers identified 23 code-executing plugins that had been published under the organizational names @openclaw/ and @clawhub/. Alarmingly, these plugins were linked to accounts that had no verified connection to either of the organizations, raising concerns about security and trustworthiness in the technological landscape.
The crux of the problem lies in ClawHub’s failure to consistently enforce its documented policy that aligns a plugin’s scope with its verified owner. This oversight allowed unaffiliated publishers to release plugins that falsely presented themselves as official integrations of OpenClaw, an alarming breach of trust that carries significant operational risks. In package registries like npm, the scope prefixes such as @owner/ serve as indications of provenance, signaling the account responsible for publishing the plugin and suggesting the level of trust users might afford it.
ClawHub had previously embraced this model for OpenClaw-compatible plugins, issuing legitimate first-party integrations under the @openclaw scope, with examples including @openclaw/whatsapp and @openclaw/codex. However, the emergence of plugins like @openclaw/security-gate, @openclaw/fiat-wallet, and @clawhub/aisa-twitter-api—which appeared to users as official—raised a significant red flag, as the actual publishers were completely unrelated accounts.
Archive snapshots of these misleading listings indicate how a user might inadvertently misinterpret a URL or installation command, such as "openclaw plugins install clawhub:@clawhub/prediction-market," as an attempt to install a trusted integration—highlighting the potential for design flaws within the registry’s user guidance and how it impacts security.
Manifold’s analysis uncovered that out of 1,508 plugins within ClawHub’s catalog, 557 were attributed to an @owner/ scope, yet not all of these scopes were ownership-verified. The immediate concern here is not that the reviewed packages contained malware; in fact, a manual inspection found no obvious malicious payloads. Rather, the more pressing issue is the risk of impersonation: these plugins can execute code within user environments and carry out sensitive actions, such as managing autonomous payments, hosting git and GitHub commands, exporting agent configurations, and interfacing with third-party APIs.
To draw a comparison, consider the npm package @microsoft/microsoft-graph-client, which resides under the verified @microsoft scope. Developers utilizing this package can reasonably trust that it is authentically from Microsoft, due to npm’s organization scope enforcement. However, when plugins with potentially harmful capabilities operate under a scope that users conflate with first-party verification, the danger escalates significantly. Malicious actors need not embed harmful code directly; misleading provenance can trick users into installing plugins that have elevated permissions and access.
ClawHub’s own documentation had previously proclaimed the necessity for the package scope to align with the owner upon publishing, but unfortunately, the registry failed to apply this check rigorously to organizational scopes. After Manifold reported the vulnerability to ClawHub on June 17 via GitHub’s security advisory process and followed up by email, ClawHub took swift action. By June 19, they had introduced a namespace-claim dispute procedure and had removed the most misleading plugins from public view. Furthermore, they updated their public documentation to provide clearer guidelines on how rightful owners could request staff reviews.
This incident underscores the responsibility that registries have when they create their own scope layers. Some registries alleviate this risk by directly tying owner identities to GitHub repositories, where ownership and publishing rights are inherently more controlled. In scenarios where registries establish scoped namespaces, they are expected to implement rigorous verification processes, automated checks during publishing, and a streamlined dispute resolution approach.
As artificial intelligence agents and associated supply chains proliferate, the potential attack surface for vulnerabilities within plugins expands concurrently. Manifold’s ongoing initiatives—including a public supply-chain index and runtime detection capabilities—emphasize the importance of monitoring plugin behavior and verifying provenance. The goal is to ensure that what a plugin claims to do aligns seamlessly with its actual functionality within user agents, thereby mitigating the risks associated with supply-chain vulnerabilities in software development practices.
In an age where cybersecurity remains a pressing concern, this situation serves as a critical reminder for all software registries to enforce stringent verification procedures. As the tech landscape evolves, ensuring the integrity and reliability of software components becomes paramount, demanding vigilance from both developers and users alike.