ClawHub Plugin Squatting Exposes Security Gaps in AI Agent Registries

On June 22, 2026, security researchers disclosed that 23 plug-ins on the ClawHub registry were squatting on official scopes such as @openclaw and @clawhub, exposing a critical gap in how AI agent registries validate publisher identity. ClawHub is a plugin registry used with Claude, OpenClaw, and other AI agents, where packages are published under scopes modeled after npm naming conventions.

Ax Sharma, Head of Research at Manifold Security, documented that these 23 plug-ins were capable of executing code on the systems where they were installed, yet they were published under official-looking scopes without being owned by the legitimate scope holders. This means an attacker could deceive users into trusting a plug-in based solely on its scope name.

Scope Reservation Flaws

In npm-style registries, scopes like @openclaw are intended to indicate that the package was published by the organization or project named in the scope. However, ClawHub did not reserve those scopes to their legitimate owners for every package already in the registry. As a result, unrelated accounts could claim the same scope name for new or existing plug-ins, creating a supply chain risk even if the code itself was not malicious.

• The 23 affected plug-ins were all capable of code execution, posing a direct security threat to users who installed them.
• Official scopes @openclaw and @clawhub were among those squatted, making the plug-ins appear trustworthy.
• The disclosure led ClawHub to implement changes after being notified by Sharma.
• The vulnerability model mirrors classic registry squatting, but applied to the emerging AI agent ecosystem.
• No evidence indicates the squatted plug-ins were used in a real attack before discovery.

Implications for AI Supply Chains

The incident highlights a recurring pattern: as new AI tools, asset registries, and agent platforms appear, security gaps appear alongside them. Traditional software registries like npm and PyPI have dealt with typo-squatting and scope confusion for years, but the stakes are higher when AI agents execute plug-ins autonomously.

Sharma noted in the disclosure that an official-looking scope is a supply chain risk even when the code is not malicious, because users infer trust from the name. The registry has since updated its policies, but the broader lesson is that AI agent platforms must adopt stricter identity verification and scope reservation from day one. The industry can expect more disclosures of similar gaps as researchers probe these new ecosystems.