23 Malicious ClawHub Plugins Squat Official Scopes, Exposing AI Registry Security Gaps
Researchers discovered 23 malicious plugins on the ClawHub AI agent registry that exploited unreserved official scopes to execute arbitrary code within Claude and OpenClaw agents.
Ax Sharma, Head of Research at Manifold Security, has uncovered a significant supply-chain vulnerability in the ClawHub AI agent registry. In a video published by Help Net Security, Sharma details how 23 malicious plugins were able to squat under official-looking scopes such as @openclaw and @clawhub, despite being owned by unrelated accounts. The core issue: ClawHub failed to reserve those scopes for their legitimate owners, allowing attackers to publish plugins that appeared to come from trusted sources.
The plugins, once installed, could execute arbitrary code within Claude, OpenClaw, and other AI agents that rely on the ClawHub registry. This represents a classic supply-chain attack vector, but one that is particularly dangerous in the AI ecosystem. Unlike traditional software registries where malicious packages might steal credentials or install backdoors, AI agent plugins have direct access to the agent's reasoning loop, data, and even the ability to issue commands on behalf of the user.
Sharma's investigation revealed that the scope squatting was possible because ClawHub's registry did not enforce ownership verification for scopes at the time of publication. While npm-style scopes are meant to signal authenticity, the lack of reservation meant that any user could publish a package under @openclaw or @clawhub without proving they represented those organizations. The 23 malicious plugins exploited this gap to appear legitimate, increasing the likelihood that developers and users would trust and install them.
After Sharma disclosed the issue, ClawHub implemented changes to reserve official scopes and improve validation. However, the incident highlights a broader pattern: as new AI tools, assets, and registries appear, security gaps appear right alongside them. The AI plugin ecosystem is still in its infancy, and many registries lack the maturity of established package managers like npm or PyPI, which have spent years hardening their supply-chain defenses.
The discovery comes amid a wave of security research into AI supply-chain risks. Earlier this month, 25 CVEs were disclosed in OpenClaw itself, including a critical authentication bypass (CVE-2026-53838). Separately, researchers found that hundreds of AI-powered iOS apps exposed exploitable credentials, and a coordinated campaign compromised over 10,000 GitHub repositories to distribute malware. The ClawHub incident underscores that the weakest link in AI security may not be the models themselves, but the infrastructure that delivers and manages them.
For now, users of ClawHub plugins are advised to verify the publisher's identity through independent channels before installing any plugin, even those under official-looking scopes. The registry's changes are a step forward, but the incident serves as a warning: in the rush to build AI ecosystems, security fundamentals like scope reservation and publisher verification cannot be an afterthought.