A new supply chain threat has surfaced in the AI agent ecosystem that is both subtle and serious.
Researchers uncovered 23 plugins on the ClawHub registry published under official organizational scopes without any authorization from ClawHub or its parent project, OpenClaw.
These plugins used trusted namespace prefixes to look like genuine, first-party tools, while they were submitted by unrelated third-party accounts with no connection to the organization.
ClawHub is the primary plugin and skill registry for OpenClaw, and it supports Claude-compatible plugin bundles that install into AI coding agents like Claude Code, Cursor, and Codex.
The registry indexes more than 1,500 plugins and uses a scoping system similar to npm, where the @owner/ prefix on a plugin name signals who published it.
The problem is that ClawHub’s enforcement of this trust model was inconsistent, allowing outside accounts to publish under reserved organizational scopes unchallenged.
Analysts at Manifold Security identified all 23 rogue plugins and reported their findings in a report shared with Cyber Security News (CSN).
The affected plugins carried prefixes like @openclaw/ and @clawhub/, the same scopes ClawHub uses for its own legitimate tools such as @openclaw/whatsapp and @openclaw/codex.
Any developer installing one of these plugins would reasonably assume it came directly from the official source.
All 23 flagged plugins execute code inside the agent environment. Several perform high-privilege actions including autonomous payment processing, running host-level git commands, exporting agent configuration, and connecting to external APIs.
npm package @microsoft/microsoft-graph-client (Source – Manifold)
Under an official-looking scope, these capabilities create a credible supply chain risk that most developers would not think to question.
The timeline moved fast after discovery. Manifold reported the issue to ClawHub on June 17, 2026, through GitHub’s security advisory workflow, followed by a courtesy email the next day.
By June 19, ClawHub had unlisted all 23 misleading plugins and added a formal dispute process for reporting unauthorized namespace usage.
23 ClawHub Plugins Abuse Official Org Scopes
The core of this issue is a technique researchers call “scope squatting,” where a plugin is published under an organizational namespace the publisher does not actually own.
In systems like npm, this is prevented automatically since only verified members of an organization can publish under its registered scope.
ClawHub documented the same rule in its publishing guidelines but did not enforce it consistently across all plugins in its catalog.
Out of 1,508 plugins in the catalog, 557 carry an @owner/ prefix, but not all have verified ownership. The 23 identified plugins belong to 15 distinct accounts, with some accounts holding clusters of them.
Plugin names like @openclaw/security-gate, @openclaw/fiat-wallet, and @clawhub/aisa-twitter-api sound like native, platform-level tools, which deepened the deception considerably for anyone browsing or scripting installs.
Six of the 23 were flagged suspicious by ClawHub’s own scanner, but the remaining 17 passed as clean. Ironically, @openclaw/security-gate, a security-review plugin, cleared the platform’s own audit despite not belonging to OpenClaw.
Manifold’s manual review found no planted malicious code in any version reviewed, but emphasized that a future update to any of these plugins could introduce harmful behavior without warning.
Why the AI Agent Supply Chain Needs Better Policing
The ClawHub incident reflects a broader pattern in the AI agent ecosystem, where rapid growth is outpacing the security controls meant to protect it.
A single plugin can attach hooks that forward prompts or environment variables to outside servers, pull in additional skills, or silently alter agent settings, often with no visible sign to the user.
When those plugins carry an official badge they did not earn, the risk becomes much harder to catch.
Developers working with AI agents should verify plugin authorship carefully before installation, cross-referencing the publishing account with the official organization’s known contributors.
Registries built on scope-based trust should enforce ownership at the point of publication rather than relying on post-publication audits alone.
Following Manifold’s disclosure, ClawHub acted swiftly by unlisting the plugins and launching a namespace claims procedure, a model other AI plugin registries should consider adopting.
Indicators of Compromise (IoCs):-
The source material does not contain specific IoC artifacts such as IP addresses, file hashes, or malicious domains. However, the following plugin identifiers represent the unauthorized scope-squatting entries documented by Manifold Security:
TypeIndicatorDescriptionPlugin Name@clawhub/prediction-market-arbitrage-zhUnauthorized plugin under @clawhub scope; owner: bibaofeng; ClawHub scan: cleanPlugin Name@clawhub/prediction-market-arbitrageUnauthorized plugin under @clawhub scope; owner: bibaofeng; ClawHub scan: cleanPlugin Name@clawhub/prediction-market-zhUnauthorized plugin under @clawhub scope; owner: bibaofeng; ClawHub scan: cleanPlugin Name@clawhub/prediction-marketUnauthorized plugin under @clawhub scope; owner: bibaofeng; ClawHub scan: cleanPlugin Name@clawhub/aisa-twitter-apiUnauthorized plugin under @clawhub scope; owner: bibaofeng; ClawHub scan: suspiciousPlugin Name@openclaw/ralph-loopUnauthorized plugin under @openclaw scope; owner: pazyork; ClawHub scan: cleanPlugin Name@openclaw/weworkUnauthorized plugin under @openclaw scope; owner: tansc; ClawHub scan: cleanPlugin Name@openclaw/security-gateUnauthorized plugin under @openclaw scope; owner: dsda56180; ClawHub scan: cleanPlugin Name@openclaw/agent-exporterUnauthorized plugin under @openclaw scope; owner: jxh0229; ClawHub scan: suspiciousPlugin Name@openclaw/fiat-walletUnauthorized plugin under @openclaw scope; owner: justiceessielp; ClawHub scan: suspiciousPlugin Name@openclaw/zulipUnauthorized plugin under @openclaw scope; owner: niyazmft; ClawHub scan: cleanPlugin Name@openclaw/open-proseUnauthorized plugin under @openclaw scope; owner: sheygoodbai; ClawHub scan: cleanPlugin Name@openclaw/time-injectionUnauthorized plugin under @openclaw scope; owner: willificent; ClawHub scan: cleanPlugin Name@openclaw/knowledge-base-retrievalUnauthorized plugin under @openclaw scope; owner: kwokmoon; ClawHub scan: cleanPlugin Name@openclaw/icpswapUnauthorized plugin under @openclaw scope; owner: onevroad-icp; ClawHub scan: suspiciousPlugin Name@openclaw/xiaomiUnauthorized plugin under @openclaw scope; owner: fengrenhongchao; ClawHub scan: cleanPlugin Name@openclaw/openclaw-session-bloat-warningUnauthorized plugin under @openclaw scope; owner: teodorarg; ClawHub scan: cleanPlugin Name@openclaw/openclaw-canonUnauthorized plugin under @openclaw scope; owner: teodorarg; ClawHub scan: cleanPlugin Name@openclaw/openclaw-workflow-plannerUnauthorized plugin under @openclaw scope; owner: teodorarg; ClawHub scan: cleanPlugin Name@openclaw/openclaw-host-git-workflowUnauthorized plugin under @openclaw scope; owner: teodorarg; ClawHub scan: suspiciousPlugin Name@openclaw/product-marketing-byteplusUnauthorized plugin under @openclaw scope; owner: qsgec; ClawHub scan: cleanPlugin Name@openclaw/openclaw-url-tailwind-scaffoldUnauthorized plugin under @openclaw scope; owner: teodorarg; ClawHub scan: cleanPlugin Name@openclaw/codex-claw100Unauthorized plugin under @openclaw scope; owner: yenadmin; ClawHub scan: suspiciousRegistry URL URL of unauthorized @openclaw scoped plugin (now unlisted)Registry URL URL of unauthorized @clawhub scoped plugin (now unlisted)
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post 23 ClawHub Plugins Abuse Official Org Scopes to Impersonate Trusted AI Agent Tools appeared first on Cyber Security News.
