惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Project Zero
Project Zero
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Google DeepMind News
Google DeepMind News
Recent Announcements
Recent Announcements
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
V
Visual Studio Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
G
Google Developers Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recorded Future
Recorded Future
B
Blog RSS Feed
The GitHub Blog
The GitHub Blog
爱范儿
爱范儿
博客园 - 三生石上(FineUI控件)
D
DataBreaches.Net
博客园 - Franky
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Last Week in AI
Last Week in AI
NISL@THU
NISL@THU
T
Tailwind CSS Blog
博客园 - 【当耐特】
P
Privacy International News Feed
I
InfoQ
L
LINUX DO - 热门话题
H
Help Net Security
博客园 - 叶小钗
aimingoo的专栏
aimingoo的专栏
AWS News Blog
AWS News Blog
Scott Helme
Scott Helme
Cyberwarzone
Cyberwarzone
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Forbes - Security
Forbes - Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
WordPress大学
WordPress大学
T
Troy Hunt's Blog
Spread Privacy
Spread Privacy
V
V2EX
Cloudbric
Cloudbric
Security Latest
Security Latest
H
Heimdal Security Blog
S
Securelist
I
Intezer
F
Full Disclosure
V2EX - 技术
V2EX - 技术
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
小众软件
小众软件
Security Archives - TechRepublic
Security Archives - TechRepublic
L
Lohrmann on Cybersecurity
S
Schneier on Security
C
Cybersecurity and Infrastructure Security Agency CISA

Hacker News - Newest: "OpenClaw"

OpenClaw just launched an official app for iPhone, details here - 9to5Mac OpenClaw Launch — Deploy AI Chatbots in Seconds Self-Host OpenClaw AI Agent on VPS: Full Setup Guide GitHub - xltvy/openclaw-memgpt: OpenClaw plugin that gives agents MemGPT-style memory: tiered core/archival/recall storage, self-directed memory operations via tool calls, memory-pressure warnings, and recursive summarisation. Integrates the reference MemGPT implementation via a local sidecar service, preserving the original architecture without reimplementation. Malicious AI what shipping OpenClaw in production taught us — AutoClaw AgentLine — AI Phone API | Phone Numbers, Voice & SMS for AI Agents Make Your OpenClaw Agent Cheaper, and Measure It Yourself GitHub - sammysltd/OpenEmployee: Make your OpenClaw agent employable: deny-by-default governance, budgets, allowlists, approval gates, and a signed audit trail via MakerChecker. Migrate from OpenClaw | Hermes Agent StackOverflow closed my OpenClaw and paperclipAI integration q. as "irrelevant" GitHub - sausin/outpost: Removing AI agents' quiet security problem Potassium — ClawHub Plugins Pi Building Pi, Openclaw's Minimalist Coding Agent | Mario Zechner, Creator of Pi I Spent 4 Hours So You Don’t Have To: Hetzner Metal + NixOS in ~15 Minutes − Irakli's blog GitHub - snuri00/osint-mcp: Self-hosted OSINT toolkit — MCP server, AI REPL, CLI, web app & chat apps (WhatsApp/Telegram/Discord via OpenClaw). Entity, event/news & social/community intelligence. Keyless-first. What a Regex Can't Do GitHub - ai-sns/openclaw-hermes-agent-network: OpenClaw Hermes AI Agent Social Network🦞💬🦞Built on Google 3D Maps and A2A protocol, connects OpenClaw and Hermes agents worldwide in a 3D environment. Phishing for Lobsters: How We Tricked OpenClaw into Spilling Secrets GitHub - CODEANDTRUST/clawcall: Give your OpenClaw / self-hosted AI agent inbound phone calls - a Twilio-to-gateway voice bridge with working agent tools mid-call (MIT). Build a ZeroCost Web Automation Pipeline with OpenRouter, OpenClaw, and MediaUse Let OpenClaw Run Wild in Simulation, Not on Your Customers | Veris AI GitHub - gpdir16/tabyAgent: A lighter, easier alternative to OpenClaw/Hermes. Runs autonomously inside Docker and chats with you through Telegram. Ask HN: What are the biggest problems you find in OpenClaw/Hermes? Microsoft launches Scout, an OpenClaw-inspired personal assistant GitHub - openclaw/openclaw-windows-node: Windows companion suite for OpenClaw - System Tray app, Shared library, Node, and PowerToys Command Palette extension Microsoft unveils Scout, an autonomous AI agent built on OpenClaw Gavriel Cohen found his own code inside OpenClaw, so he walked away GitHub - hunvreus/heypi: Chat agents for your team, with approvals and sandboxed tools. Slack, Discord, Telegram, webhooks. HolaClaw: run OpenClaw securely in Mac Multi-Agent Orchestration System: Hermes (Windows) ↔ OpenClaw (WSL) We were building infra for OpenClaw, and today I just tried Hermes and holy shit GitHub - openclaw/openclaw: Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞 OpenClaw as the Universal Operating System for Agents ARC Prize - Community Leaderboard Setup OpenClaw with Slack: from install to first message twitter.com I Gave My OpenClaw Agent a Physical Body Use Grok in OpenClaw The creator of OpenClaw used $1,300,000+ of OpenAI tokens in 30 days, which is a hell of a perk GitHub - oswarld/openshears: 🔪 THE OPENCLAW TERMINATOR 🦞 Are we human? Show HN: OpenClaw is just not dangerous enough. I needed something else OpenClaw creator burned through $1.3 million in OpenAI API tokens in a single month — bill covered 603 billion tokens across 7.6 million requests and 100 coding agents Reducing OpenClaw token usage OpenClaw/Hermes Hosting Comparison GitHub - ExTV/rikkahub-agent: RikkaHub Agent -- is RikkaHub fork that have Full agent mode . For $1.3 million a month, OpenClaw founder Peter Steinberger runs 100 AI agents that code, review PRs, and find bugs Where OpenClaw Security Is Heading OpenAI Models in OpenClaw, Done Right GitHub - thesysdev/openclaw-os: The default workspace for OpenClaw Token, Harness, OpenClaw, RAG, MCP, Agent – What's the Difference? We need a safe alternative to Telegram for agents like OpenClaw or Hermes Two OpenClaw agents negotiate a YC SAFE with Agentic Power of Attorney OpenClaw Had a Rough Week GitHub - LobsterTrap/tank-os GitHub - haishmg/Clawback How OpenClaw Got Safer in Public openclaw ggsql — ClawHub Show HN: iClaw is part OpenClaw, part Siri, powered by Apple Intelligence GitHub - lotsoftick/openclaw_client: OpenClaw web client Show HN: OpenClaw but Efficient and with an SDK GitHub - TheGuyWithoutH/mac-computer-use GitHub - microsoft/openclaw: Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞 The OpenClaw turkey problem OpenClaw: opioids for Chinese AI companies GitHub - supersuit-tech/permission-slip [AINews] The Two Sides of OpenClaw OpenClaw stats don't add up GitHub - brexhq/CrabTrap: An LLM-as-a-judge HTTP proxy to secure agents in production Anthropic - OpenClaw Hustlers are cashing in on China’s OpenClaw AI craze Engineering Managers are going to hate OpenClaw GitHub - opentalon/opentalon: OpenTalon is an open-source platform built from the ground up in Go as a robust alternative to OpenClaw Ask HN: Who is using OpenClaw? Why Meta’s AI Alignment Director Couldn't Stop Her Own Agent—and How to Fix It GitHub - epsilla-cloud/clawtrace: Make your OpenClaw agents better, cheaper, and faster. Ask HN: What are you using OpenClaw or agents for? GitHub - epsilla-cloud/clawtrace: Make your OpenClaw agents better, cheaper, and faster. GitHub - theprint/nfh-self-improvement-loop: Minimal adversarial framework for AI agent self-modification. Inspired by karpathy/autoresearch. GitHub - ibrahimmukherjee-boop/ClearFrame: OpenClaw Alternative with better governance, security Show HN: Agent-Notifications – Real-Time Alerts for OpenClaw and Hermes Agents OpenClaw + Claude are better than therapy GitHub - zeulewan/glueclaw: Use Claude Max subscription with OpenClaw again Anthropic temporarily banned OpenClaw’s creator from accessing Claude OpenClaw’s memory is unreliable, and you don’t know when it will break Give Your OpenClaw Agent a Real Memory You need a Windows Remote Desktop, not an OpenClaw GitHub - cruxdigital-llc/CongaLine: Deploy and manage a fleet of OpenClaw AI assistants anywhere. Supporting hobbyist, team, and enterprise use cases. GitHub - cezarpena/vsm-cell: VSM-Cell is an OpenClaw agent P2P mesh orchestration standalone app. GitHub - joshchoi4881/dropspace-agents GitHub - askalf/dario: Universal LLM router. One local endpoint, every provider — OpenAI, Groq, OpenRouter, Ollama, Claude Max/Pro subscriptions, the Claude Agent SDK, any OpenAI-compat URL. Your tools stop caring which vendor is upstream. Tutorial: Secure OpenClaw with CloudConnexa OpenClaw and the Dream of Free Labour GitHub - RageDotNet/openclaw-webdav GitHub - kevinslin/openai-apps: Support openai apps in openclaw GitHub - aelaguiz/doctrine: Code-like DSL and compiler for agent workflows that compile to portable AGENTS.md instructions. Unlocking cloud inference compute for OpenClaw OpenClaw for Sales: How AI Agents are Revolutionizing Revenue Teams | Kickscale OpenClaw Architecture - Part 1: Control Plane, Sessions, and the Event Loop
23 ClawHub Plugins Squat Official Org Scopes - Manifold Security
Ax Sharma · 2026-06-23 · via Hacker News - Newest: "OpenClaw"

23 ClawHub plugins squat the official scopes on the registry: a case study in enforcing organizational scope and namespacing on AI asset registries.

TL;DR

  • Manifold Security identified 23 code-executing ClawHub plugins published under ClawHub's @openclaw/ and @clawhub/ scopes by accounts that have nothing to do with either organization.

  • ClawHub had documented the rule but did not comprehensively enforce it: a plugin's scope is supposed to match its owner, but the org scopes would accept anyone, which is a supply chain attack risk.

  • 557 of the 1,508 plugins carry an @owner/ scope, but not all have ClawHub verified ownership.

  • ClawHub uses the @openclaw/ scope for its own genuine plugins (@openclaw/whatsapp, @openclaw/codex), so unauthorized ones sitting under it (@openclaw/security-gate, @openclaw/fiat-wallet, @clawhub/aisa-twitter-api) inherit the same first-party credibility, for code that runs inside your agent with real privileges.

  • We reported it to ClawHub on June 17. Following our private report, ClawHub added a procedure to dispute organizational scopes and namespaces squatted by unauthorized entities or threat actors, and unlisted the misleading plugins.

  • Scopes have existed for years across several registries including npm, often used to group packages and artifacts under official organizational or developer accounts and signal to consumers that scoped artifacts can be consumed with high trust, given they are coming from the official source.

If you have spent any time as an npm developer or around open source supply chain security, you already know about scoped packages and namespacing.

A scope is the @owner/ prefix on a package name. It ties a package to an owner, so consumers can tell at a glance who published it. The point is provenance: the scope is a trust signal about where the code came from.

For example, the npm package @microsoft/microsoft-graph-client sits under the @microsoft scope, owned by the company. A developer pulling that package can be reasonably confident the artifact comes from Microsoft, because npm enforces org scopes: only members of the @microsoft org can publish under it, and a non-member is rejected outright.

Trusted scopes and impersonation risk

Here is the part that matters most, and the part that is easy to get wrong.

At the time of our analysis, six of these plugins were flagged “suspicious” by ClawHub's own scanner.

We manually reviewed all six flagged plugins, and in fact every one of the 23 in the table, and found no outright malicious code in any of them. That is deliberately not the headline. The risk here is not a planted payload (in the versions we found; not accounting for future updates that could be malicious), but impersonation of high-privilege plugin types inside a trusted scope.

These are plugins that take autonomous payment actions, run host-level git and gh commands, export agent configuration, or egress to third-party APIs.

When code with that level of capability wears an @openclaw or @clawhub badge it did not earn, the scope stops being a trust signal and starts being a liability. A future bad actor does not need to smuggle in malware. They need only inherit the credibility the scope confers.

The full list of plugins we analyzed, all of which execute code inside the agent:

ClawHub Plugin

Owner handle

ClawHub Scan status

Executes code

Created

@clawhub/prediction-market-arbitrage-zh

bibaofeng

clean

yes

2026-04-04

@clawhub/prediction-market-arbitrage

bibaofeng

clean

yes

2026-04-04

@clawhub/prediction-market-zh

bibaofeng

clean

yes

2026-04-04

@clawhub/prediction-market

bibaofeng

clean

yes

2026-04-04

@clawhub/aisa-twitter-api

bibaofeng

suspicious

yes

2026-04-04

@openclaw/ralph-loop

pazyork

clean

yes

2026-03-26

@openclaw/wework

tans

clean

yes

2026-03-27

@openclaw/security-gate

dsda56180

clean

yes

2026-03-30

@openclaw/agent-exporter

jxh0229

suspicious

yes

2026-03-31

@openclaw/fiat-wallet

justiceessielp

suspicious

yes

2026-04-02

@openclaw/zulip

niyazmft

clean

yes

2026-04-03

@openclaw/open-prose

sheygoodbai

clean

yes

2026-04-04

@openclaw/time-injection

willificent

clean

yes

2026-04-06

@openclaw/knowledge-base-retrieval

kwokmoon

clean

yes

2026-04-09

@openclaw/icpswap

onevroad-icp

suspicious

yes

2026-04-13

@openclaw/xiaomifeng

renhongchao

clean

yes

2026-04-14

@openclaw/openclaw-session-bloat-warning

teodorarg

clean

yes

2026-04-18

@openclaw/openclaw-canon

teodorarg

clean

yes

2026-04-18

@openclaw/openclaw-workflow-planner

teodorarg

clean

yes

2026-04-18

@openclaw/openclaw-host-git-workflow

teodorarg

suspicious

yes

2026-04-18

@openclaw/product-marketing-byteplus

sqsge

clean

yes

2026-04-19

@openclaw/openclaw-url-tailwind-scaffold

teodorarg

clean

yes

2026-04-21

@openclaw/codex-claw

100yenadmin

suspicious

yes

2026-05-03

The list comprises 23 code-executing plugins across 15 distinct accounts.

Some accounts hold clusters: all five @clawhub/ packages belong to one owner, and five of the @openclaw/ entries trace to another single account.

Most of these look like ordinary developers who published useful plugins and parked them under an official-looking scope, in several cases probably without realizing the scope was supposed to be reserved. That is the point, not a mitigation of it.

The gap was open enough that everyday contributors populated the official namespaces unchallenged. A motivated impersonator faces the same open door, with worse intent

ClawHub adds a dispute process

On June 17th we notified the ClawHub maintainers via GitHub’s security advisory workflow, and further sent a courtesy email the following day.

Following our outreach, ClawHub's documentation gained a dedicated namespace-claims dispute process, letting rightful owners of an org, brand, scope, owner handle, or namespace request staff review:

“If you are the rightful owner of an org, brand, package scope, owner handle, or namespace that is already claimed or reserved on ClawHub, open an Org / Namespace Claim issue with public, non-sensitive proof. See Org and Namespace Claims for what to include and what to keep out of public issues.”

ClawHub's own FAQ, captured June 16, stated that “only publishers with access to the @openclaw owner can publish” under that scope, a guarantee that did not hold for the 23 plugins above. How long scope enforcement had applied to new publishes before that, the docs don't state.

By June 19th, the registry unlisted these misleading plugins from public view, following our report. Credit to Patrick Erichsen of ClawHub for the prompt action.

Scopes, badges, and audits tell you what a plugin claims to be. Manifold shows you what it actually does. From mapping your agent supply chain to monitoring runtime behaviour, we give you visibility across the full picture. Talk to us today.