ClawHub's plugins use the same model.
ClawHub is the plugin and skill registry for OpenClaw, and its skills and Claude-compatible plugin bundles install into Claude Code and other agents (Cursor, Codex) too. As of today it indexes 1,500+ plugins alongside its Skills catalog.
Plugins can be named npm-style, @owner/package-name, and the scope is meant to identify the publishing owner.
ClawHub publishes its own official plugins under these scopes too: @openclaw/whatsapp, @openclaw/codex, and @openclaw/matrix are genuine first-party integrations owned by the OpenClaw account. That trust is the whole point of the scope, and the whole problem when an unaffiliated package wears the same @openclaw/ prefix.
By contrast, other Claude plugin registries such as claude-plugins.dev derive the owner straight from the GitHub repo, so there's no separate scope for the registry itself to police — GitHub already enforces who can publish under that account. That design sidesteps the problem entirely.
ClawHub, having minted its own scope layer, takes on the job of enforcing it. Its own publishing docs are explicit about the rule:
“The scope must match the selected publish owner. If your package is named @openclaw/dronzer, it can only be published as @openclaw. If you publish as @vintageayu, rename the package to @vintageayu/dronzer. This prevents a package from claiming an org namespace that the publisher does not control.”
The documentation describes exactly the protection npm provides. The ClawHub registry, however, did not apply that check to the org scopes in practice to all plugins or packages.
Of the 1,508 plugins in the catalog, 557 carry an ‘@owner/’ scope. But not all of those scopes are ownership-verified, and 23 of them sit under the ‘@openclaw/’ or ‘@clawhub/’ names while belonging to unrelated accounts.
Look at these two URLs, for example:
https://clawhub.ai/plugins/@openclaw/security-gate (archived version)
https://clawhub.ai/plugins/@clawhub/aisa-twitter-api (archived version)
Anyone reading those URLs would reasonably assume they come from the official, org-controlled namespaces.
Moreover, a developer running the following line of code, or seeing it in a script will not think twice either:openclaw plugins install clawhub:@clawhub/prediction-market