Scope Squatting on ClawHub Exposes AI Supply Chain Risks  | eSecurity Planet
Threats
SHARE
Facebook X Pinterest WhatsApp

Scope Squatting on ClawHub Exposes AI Supply Chain Risks 

Scope squatting on ClawHub highlights AI supply chain risks.

Written By
Ken Underhill
Ken Underhill
Jun 22, 2026
4 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Organizations relying on AI plugins and agent ecosystems may be placing more trust in package names than they realize. 

Researchers at Manifold Security discovered 23 code-executing plugins published under ClawHub’s official-looking @openclaw and @clawhub namespaces. 

Although the plugins appeared to be associated with those organizations, they were actually owned by unrelated accounts, creating a risk that users could mistake them for official offerings. 

“Of the 1,508 plugins in the catalog, 557 carry an ‘@owner/’ scope,” said the researchers.

They explained, “But not all of those scopes are ownership-verified, and 23 of them sit under the ‘@openclaw/’ or ‘@clawhub/’ names while belonging to unrelated accounts.” 

Key Takeaways of the ClawHub Scope Squatting

  • Researchers discovered 23 code-executing plugins published under ClawHub’s official-looking @openclaw and @clawhub namespaces despite being owned by unrelated accounts.
  • The issue stems from inconsistent enforcement of namespace ownership verification, a key trust mechanism used to validate software provenance.
  • Many of the affected plugins can execute code, access external APIs, and perform actions on behalf of AI agents, increasing the potential impact of misuse.
  • Manifold Security found no evidence of malicious code in the reviewed plugins, but warned that trusted-looking namespaces could be used to increase adoption of malicious software.
  • The findings highlight the growing importance of software provenance, namespace verification, and supply chain security in AI plugin and agent ecosystems.

Inside the ClawHub Discovery 

The issue affects ClawHub, a plugin and skill registry for OpenClaw that hosts more than 1,500 plugins for AI agents and Claude-compatible environments. 

According to Manifold Security, 557 plugins in the registry use an @owner/ naming convention designed to identify the publisher behind a package. 

During their review, researchers discovered 23 code-executing plugins published under the official-looking @openclaw and @clawhub namespaces despite being owned by unaffiliated accounts.

Why Namespace Verification Matters 

The findings are notable because organizational namespaces serve as an important trust signal across software ecosystems. 

In registries such as npm, only authorized members of an organization can publish packages under its namespace, helping users verify software provenance and authenticity before installation. 

ClawHub’s documentation similarly states that package scopes should match the publishing owner, preventing users from claiming namespaces they do not control. 

However, researchers found that the platform was not consistently enforcing those ownership checks.

Advertisement

Security Risks of Scope Squatting 

As a result, plugins with names such as @openclaw/security-gate and @clawhub/aisa-twitter-api appeared alongside legitimate content and could easily be mistaken for official or vendor-endorsed offerings. 

The issue extends beyond branding because many affected plugins can execute code, call external APIs, export configuration data, or act on behalf of AI agents. 

Researchers noted that a threat actor would not necessarily need to hide malware within a plugin to take advantage of the situation. 

Simply publishing under a trusted-looking namespace could increase user confidence and improve the likelihood that a malicious plugin is installed. 

However, Manifold Security manually reviewed all 23 identified plugins and reported finding no evidence of malicious code. 

As a result, the issue is best characterized as a software provenance and trust problem rather than an active compromise, though researchers warn that the same weakness could be abused by attackers in the future.

Managing AI Supply Chain Risk 

As organizations adopt more AI-powered tools and agent integrations, verifying software provenance and maintaining visibility into what those components can access becomes increasingly important. 

While the researchers did not identify malicious code in the affected plugins, the incident demonstrates how trusted namespaces and branding can influence adoption decisions. 

  • Verify plugin ownership and software provenance before installation, and use approved registries, code-signing validation, or publisher attestations whenever possible.
  • Restrict AI agents, plugins, and third-party integrations to the minimum permissions, data access, and system privileges required for operation.
  • Maintain an approved inventory of AI plugins, agent extensions, and MCP servers, and regularly review them for ownership changes, security issues, or unnecessary access.
  • Run AI agents and plugins in isolated environments and limit network connectivity to reduce the impact of compromised or malicious components.
  • Monitor plugin and agent activity for unusual behavior, including unexpected command execution, API usage, data access, and outbound network communications.
  • Establish governance processes for evaluating, approving, and continuously assessing AI plugins, third-party skills, and agent integrations before and after deployment.
  • Test incident response plans through tabletop exercises and attack simulations involving compromised AI agents, plugins, and software supply chain scenarios.

Together, these measures can help organizations reduce exposure to AI supply chain risks while building resilience against compromised, impersonated, or untrusted AI components.  

Advertisement

Bottom Line

The ClawHub findings reinforce the need to treat AI plugins and agent extensions as part of the broader software supply chain.

As AI agents gain more access to enterprise systems, security teams will need stronger controls around provenance, permissions, runtime behavior, and approved use. 

The goal is not to slow AI adoption, but to ensure that trusted names, namespaces, and integrations are backed by verifiable security controls. 

As AI ecosystems grow more complex, zero trust principles can help organizations verify access continuously and reduce reliance on implicit trust. 
Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

facebook
linkedin
x

Company

About us Contact us Advertise with us

Categories

Best Products Resources Networks Cloud Threats Trends Endpoint Applications Compliance

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information