2026-06-22
HighMedia reportManifold Security found 23 ClawHub plugins published under @openclaw/ and @clawhub/ scopes by unauthorized accounts, exposing Claude Code, Cursor, and Codex to silent supply chain compromise.
What happened
Third-party accounts published 23 code-executing plugins under @openclaw/ and @clawhub/ organizational scopes on ClawHub without authorization, making them appear to be official OpenClaw tools to any developer browsing or scripting plugin installs.
Why it matters
23 plugins with user-level authority inside agent environments appeared as trusted official tools on the registry used by Claude Code, Cursor, and Codex. Developers installing them had no visible signal the plugins were not official. Several performed high-privilege actions including autonomous payment processing, host-level git commands, agent configuration export, and external API connections.
Missing authorization check
Scope ownership verification enforced at point of publication — not post-publication auditing — to prevent unauthorized accounts from publishing under reserved organizational namespaces.
Would PP block it?
PP enforcement sits at the action layer, not the plugin installation or scope-validation layer. A scope-squatted plugin that triggers a payment or git push inside the agent environment would need a PP-signed receipt for those specific actions. The plugin can look official in the registry but cannot produce a valid PP authority receipt without going through the external enforcement gate. What PP does not close: it cannot prevent installation of a misleading plugin or stop low-privilege actions the plugin executes before reaching PP’s enforcement boundary.
Incident analysis
2026-06-17
Manifold Security reports 23 scope-squatting plugins to ClawHub via GitHub’s security advisory workflow.
2026-06-18
Manifold sends a courtesy email to ClawHub to confirm the disclosure was received.
2026-06-19
ClawHub unlists all 23 misleading plugins and adds a formal dispute process for reporting unauthorized namespace usage.
2026-06-22
Manifold Security publishes findings; CybersecurityNews and Help Net Security cover the disclosure.
Authorization boundary
This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Runtime Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
PP’s authorization chain is external to the plugin registry. Even if a scope-squatted plugin executes inside an agent, high-impact actions (payments, git mutations, credential exports) require PP-signed receipts issued through an independent channel the plugin cannot forge.
Related incidents and controls
ClawHavoc: 1,184 Malicious Skills Uploaded to OpenClaw ClawHub Marketplace Delivering Atomic Stealer Targeting API Keys, SSH Creds, and Browser Passwords
Fake AI Agent Skill Bypassed All Security Scanners and Reportedly Reached 26,000 Agents via Staged External Payload
Clinejection: Cline CLI 2.3.0 npm Supply Chain Attack Silently Installed OpenClaw on ~4,000 Developer Machines via Prompt Injection and GitHub Actions Cache Poisoning
Sapphire Sleet (North Korean APT BlueNoroff) Hijacked Mastra npm Scope and Republished 142 Packages Injecting easy-day-js RAT Over 88 Minutes
TrapDoor Cross-Ecosystem Supply Chain: 34 Packages Planted Hidden AI Instructions in CLAUDE.md and .cursorrules to Poison Coding Assistants on Developer Machines
Start small
This incident maps to Runtime Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.