Critical ClawHub Vulnerability: 23 Plugins Impersonate Trusted AI Agents

Key Takeaways

• Twenty-three plugins on the ClawHub registry were found impersonating official tools from OpenClaw and ClawHub.
• The vulnerability stemmed from ClawHub’s inconsistent enforcement of its trust model, allowing unauthorized third parties to publish under reserved organizational namespaces.
• These deceptive plugins, designed for AI coding agents like Claude Code, Cursor, and Codex, carried high-privilege execution capabilities, presenting a significant supply chain risk.
• While no malicious code was detected at the time of discovery, the potential for future malicious updates was a primary concern.
• ClawHub swiftly responded by removing the plugins and introducing a formal process for disputing unauthorized namespace usage.

A significant supply chain vulnerability has been identified within the burgeoning AI agent ecosystem. Researchers uncovered 23 plugins on the ClawHub registry that were deceptively published under official organizational scopes, such as “@openclaw/” and “@clawhub/”, without proper authorization. This “scope squatting” allowed external accounts to masquerade as legitimate first-party developers, potentially misleading users of AI coding agents like Claude Code, Cursor, and Codex into installing compromised tools.

ClawHub functions as the central registry for plugins and skills compatible with OpenClaw. It employs a scoping system, similar to npm, where a “@owner/” prefix typically signifies the publisher. However, a critical lapse in enforcing this trust model enabled unverified third-party accounts to publish under reserved organizational namespaces, creating a severe security loophole.

Discovery and Remediation Efforts

Analysts at Manifold Security were responsible for identifying all 23 rogue plugins, documenting their findings in a detailed report. These problematic plugins utilized prefixes identical to those employed by ClawHub’s own legitimate tools, for instance, “@openclaw/whatsapp” and “@openclaw/codex”. This deliberate mimicry made it highly probable that developers would mistakenly perceive these as official, platform-level offerings.

Every one of the 23 identified plugins possessed the capability to execute code within the agent environment. Several were observed performing high-privilege operations, including autonomous payment processing, execution of host-level Git commands, exporting agent configurations, and connecting to external APIs. The combination of these powerful permissions with the illusion of official endorsement created a potent supply chain risk that most developers would not anticipate.

Manifold Security promptly disclosed the vulnerability to ClawHub on June 17, 2026, via GitHub’s security advisory workflow, followed by an email the next day. ClawHub reacted swiftly, unlisting all 23 deceptive plugins by June 19 and subsequently establishing a formal dispute resolution process for instances of unauthorized namespace usage.

The Mechanics of Scope Squatting

The vulnerability, termed “scope squatting” by the researchers, involves an actor publishing a plugin under an organizational namespace they do not legitimately own. In contrast, established systems like npm automatically prevent this by requiring verified organization members to publish under a registered scope. While ClawHub’s publishing guidelines nominally included a similar rule, its enforcement was inconsistent across the plugin catalog.

Out of 1,508 plugins listed on ClawHub, 557 utilize an “@owner/” prefix, but not all of these had verified ownership. The 23 deceptive plugins were linked to 15 distinct accounts, with some accounts managing multiple impersonating plugins. Examples such as “@openclaw/security-gate,” “@openclaw/fiat-wallet,” and “@clawhub/aisa-twitter-api” were designed to sound like core, platform-level tools, significantly boosting their deceptive potential for users browsing or scripting installations.

Interestingly, ClawHub’s internal scanner flagged only six of the 23 plugins as suspicious, allowing the remaining 17, including “@openclaw/security-gate” (a plugin purporting to be for security review), to pass its audit. Manifold’s manual review did not uncover any embedded malicious code in the versions analyzed. However, researchers emphasized the critical risk that future updates to these plugins could silently introduce malicious behavior, making the initial lack of active malware a temporary reprieve.

Strengthening the AI Agent Supply Chain

The ClawHub incident underscores a persistent challenge within the rapidly evolving AI agent ecosystem: the speed of innovation often outpaces the implementation of robust security controls. A single plugin can establish hooks to forward sensitive data, integrate additional functionalities, or silently alter agent settings, frequently without any discernible indication to the user. When such plugins carry an undeserved “official” badge, the risk becomes significantly more difficult to detect and mitigate.

Developers interacting with AI agents must meticulously verify plugin authorship before installation, cross-referencing publishing accounts with known contributors of official organizations. Registries that rely on scope-based trust models should enforce ownership verification at the point of publication, rather than solely depending on post-publication audits. ClawHub’s prompt response to Manifold’s disclosure, including unlisting the plugins and introducing a namespace claims procedure, offers a valuable blueprint for other AI plugin registries to consider adopting.

What You Should Do

• Verify Plugin Authorship: Always confirm the legitimate source and official ownership of any plugin before installation, especially for those claiming to be from official organizations.
• Cross-Reference Publishers: Compare the details of the publishing account with the official organization’s documented contributors or official channels.
• Exercise Caution with High-Privilege Plugins: Be particularly vigilant with plugins that request extensive permissions or perform high-privilege actions, such as payment processing or host-level command execution.
• Stay Informed: Keep abreast of the latest security advisories and best practices from AI agent platforms and reputable security researchers.
• Report Suspicious Activity: If you encounter plugins that appear deceptive or unauthorized, report them to the registry maintainers immediately through their official channels.

Indicators of Compromise (IoCs):-

The following plugin identifiers represent the unauthorized scope-squatting entries documented by Manifold Security. For a comprehensive list and further details, refer to the full report:

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.