AI Plugin Registries Have a Serious Trust Problem — and ClawHub Just Proved It
A newly uncovered security incident is forcing the AI developer community to confront a vulnerability hiding in plain sight: the plugin registries powering today's AI agents are not nearly as secure as their npm-style packaging conventions imply. Researchers at Manifold Security have revealed that 23 code-executing plugins managed to occupy official scopes on ClawHub — a plugin registry whose packages run directly inside agents like Claude and OpenClaw — without any legitimate authorization to do so. The discovery, detailed by Ax Sharma, Head of Research at Manifold Security, in a Help Net Security video, exposes a systemic gap in how AI plugin ecosystems handle package ownership and scope governance.
What Is ClawHub and Why Do Its Scopes Matter?
ClawHub is a plugin registry purpose-built for AI agents. Much like npm serves the Node.js ecosystem or PyPI serves Python developers, ClawHub provides a centralized marketplace where developers publish plugins that AI agents can discover and execute. These plugins aren't passive libraries — they are active, code-executing components that run with the permissions and context of the agent invoking them.
To help users distinguish trustworthy, first-party plugins from third-party contributions, ClawHub uses npm-style scoped packages. Scopes are namespace prefixes — for example, @clawhub/ or @openclaw/ — that are meant to signal the publisher's identity. When a developer sees a package listed under @clawhub/, the implicit assumption is that ClawHub itself, or an organization it officially endorses, published and maintains that package. This naming convention is the foundational trust signal in the registry ecosystem. Without it, users have no reliable way to separate legitimate tools from imposters.
The Vulnerability: Official Scopes Were Left Unguarded
The critical flaw Manifold Security uncovered is deceptively simple: ClawHub had not reserved its official scopes — @clawhub/ and @openclaw/ — against every package that had already been published under those names. In other words, the registry failed to enforce scope ownership comprehensively across its existing catalog. This left a window open for unauthorized actors to publish packages under namespaces that appeared to belong to ClawHub's own organization or its flagship partner projects.
Researchers found 23 such plugins already occupying these official-looking scopes without legitimate authorization. Because the scopes were not properly locked down, the packages passed a basic visual inspection as trustworthy — they carried the exact same namespace branding that genuine ClawHub-endorsed tools would use. Any developer or AI agent configured to automatically install or trust packages from these scopes would have had no obvious warning that something was wrong.
Why Code-Executing Plugins Raise the Stakes Dramatically
This isn't a theoretical risk about metadata manipulation or misleading documentation. The 23 identified plugins are code-executing — they run actual logic within the environment of the AI agent that loads them. When an AI agent like Claude or OpenClaw pulls in a plugin to extend its capabilities, it grants that plugin meaningful access to its operating context. Depending on how the agent is configured, this could include file system access, API credentials, network requests, user data, or the ability to influence the agent's outputs.
A malicious actor who successfully plants a code-executing plugin under an official-looking scope can effectively conduct a supply chain attack on every user or workflow that trusts that scope. The plugin doesn't need to be widely promoted — it only needs to be present in the registry under a convincing namespace. Automated tooling, CI/CD pipelines, and agent configuration scripts that resolve packages by scope name become unwitting vectors for compromise.
The Broader Pattern: AI Registries Inheriting Old Vulnerabilities
What makes the ClawHub incident particularly instructive is that it mirrors supply chain vulnerabilities the software industry has been grappling with in traditional package ecosystems for years. Typosquatting, dependency confusion, and scope hijacking are well-documented attack patterns in npm, PyPI, and RubyGems. The difference is that the AI plugin ecosystem is newer, less battle-hardened, and — critically — the packages it hosts have direct, privileged access to AI agent runtimes that can take real-world actions on behalf of users.
As more AI platforms adopt plugin architectures to extend agent capabilities, each new registry becomes a potential attack surface. If the governance primitives — scope ownership, publisher verification, package signing — are not implemented rigorously from day one, these registries inherit the worst of legacy package management risks while adding new ones unique to AI execution environments.
What Developers and Security Teams Should Do Now
The ClawHub incident offers concrete lessons for anyone building on or operating within AI plugin ecosystems:
- Audit every dependency by publisher, not just by name. Official-looking scopes are not a guarantee of legitimacy. Verify that packages your agents consume are published by verified, trusted organizations and cross-reference against official changelogs or release announcements.
- Pin plugin versions explicitly. Avoid resolving the latest version of any plugin automatically in production environments. Version pinning limits exposure to unexpected package updates or namespace takeovers.
- Restrict agent plugin permissions. Apply the principle of least privilege to AI agent plugin configurations. A plugin that only needs to read structured data should not be granted broad filesystem or network access.
- Monitor registries for scope anomalies. Security teams operating at scale should incorporate AI plugin registries into their software composition analysis workflows, flagging packages under official-looking scopes that lack verified publisher attestation.
- Demand scope reservation policies from registry operators. If you publish or consume plugins on any AI registry, push for clear, enforceable policies that lock official scopes to verified owners and prevent unauthorized publishing under those namespaces.
The Responsibility Falls on Registry Operators Too
While developers and security teams carry responsibility for their own pipelines, the ClawHub case makes clear that registry operators must treat scope governance as a foundational security control — not an afterthought. Reserving official scopes, enforcing publisher verification, and conducting proactive audits of already-published packages are baseline expectations in a mature package ecosystem. As AI agent platforms scale and the plugin economy expands, the cost of getting this wrong will only increase.
The good news is that the attack patterns here are known and well-understood. The challenge is cultural and operational: AI tooling moves fast, and security processes often struggle to keep pace. The 23 plugins uncovered on ClawHub are a warning shot. The AI developer community should treat them as a forcing function to harden plugin registries before a more damaging incident demonstrates why it mattered.
Conclusion
The discovery of 23 unauthorized, code-executing plugins squatting official scopes on ClawHub is a significant signal about the current state of AI plugin registry security. As AI agents become more capable and more deeply integrated into workflows that affect real users and real data, the integrity of the ecosystems they draw plugins from becomes a critical security concern. Scope squatting in AI registries is not a novel category of threat — but its potential consequences in an AI-native execution environment are more severe than in traditional software contexts. Staying ahead of it requires immediate action from registry operators, developers, and security teams alike.