23 ClawHub Plugins Found Impersonating Official @openclaw and @clawhub Namespaces

AI relevance: ClawHub plugins execute directly within AI agents like Claude Code and Cursor with system-level privileges — namespace impersonation creates a false trust surface that enables future supply chain compromise.

• Manifold Security identified 23 plugins on ClawHub improperly using official organizational namespaces (@openclaw/ and @clawhub/ scopes) by third-party accounts with no connection to those organizations.
• ClawHub indexes over 1,500 plugins for AI agents including Claude Code and Cursor. Of 1,508 plugins, 557 used an @owner/ scope, but many were never verified as owned.
• Flagged plugins used names like @openclaw/security-gate and @clawhub/prediction-market, appearing as genuine first-party integrations.
• One account controlled five different @clawhub/ packages, suggesting either coordinated squatting or opportunistic namespace parking.
• Manually reviewed by Manifold Security — no malicious code found in current versions. However, the high-privilege actions these plugins are authorized to perform create latent risk.
• Reported to ClawHub on June 17, 2026. Plugins unlisted by June 19. ClawHub updated documentation with formal dispute process for organizational scopes.
• This follows prior research uncovering AI skills exfiltrating data or secretly recruiting agents into cryptocurrency swarms.

Why it matters

Scope squatting transforms a security feature (namespace verification) into a liability. Unlike npm's strict enforcement, ClawHub's documentation outlined scope rules but didn't comprehensively enforce them. An attacker could inherit the default credibility of an official namespace, publish a seemingly legitimate plugin, and wait for widespread adoption before introducing malicious updates.

What to do

• Audit installed ClawHub plugins for any using @openclaw/ or @clawhub/ scopes — verify publisher legitimacy.
• Organizations owning brands/scopes should submit formal disputes to reclaim squatted handles.
• Implement plugin allowlists rather than installing ad-hoc from registries.
• Review plugin permissions and sandbox execution where possible.
• Monitor for unexpected plugin updates that could introduce malicious code.

Sources

• Cyberpress — AI Agent Supply Chain Risk Found in 23 ClawHub Plugins
• Manifold Security — Scope Squatting in ClawHub Plugins
• Cyberpress — ClawHub Vulnerability (prior research)