feat: add crestodian plugin management

docs/cli/crestodian.md

@@ -71,6 +71,10 @@ agents
 create agent work workspace ~/Projects/work
 models
 set default model openai/gpt-5.5
+plugins list
+plugins search slack
+plugin install clawhub:openclaw-codex-app-server
+plugin uninstall openclaw-codex-app-server
 talk to work agent
 talk to agent for ~/Projects/work
 audit
@@ -99,6 +103,8 @@ Read-only operations can run immediately:
 
 - show overview
 - list agents
+- list installed plugins
+- search ClawHub plugins
 - show model/backend status
 - run status or health checks
 - check Gateway reachability
@@ -116,6 +122,8 @@ you pass `--yes` for a direct command:
 - change the default model
 - start, stop, or restart the Gateway
 - create agents
+- install plugins from ClawHub or npm
+- uninstall plugins
 - run doctor repairs that rewrite config or state
 
 Applied writes are recorded in:
@@ -240,6 +248,9 @@ Security contract for remote rescue:
 - Require an explicit owner identity. Rescue must not accept wildcard sender
   rules, open group policy, unauthenticated webhooks, or anonymous channels.
 - Owner DMs only by default. Group/channel rescue requires explicit opt-in.
+- Plugin search and list are read-only. Plugin install is local-only by default
+  because it downloads executable code. Plugin uninstall can be allowed as an
+  approved repair operation when rescue policy permits persistent writes.
 - Remote rescue cannot open the local TUI or switch into an interactive agent
   session. Use local `openclaw` for agent handoff.
 - Persistent writes still require approval, even in rescue mode.

docs/cli/plugins.md

@@ -31,6 +31,9 @@ openclaw plugins list
 openclaw plugins list --enabled
 openclaw plugins list --verbose
 openclaw plugins list --json
+openclaw plugins search <query>
+openclaw plugins search <query> --limit 20
+openclaw plugins search <query> --json
 openclaw plugins install <path-or-spec>
 openclaw plugins inspect <id>
 openclaw plugins inspect <id> --runtime
@@ -64,6 +67,7 @@ Native OpenClaw plugins must ship `openclaw.plugin.json` with an inline JSON Sch
 ### Install
 
 ```bash
+openclaw plugins search "calendar"                   # search ClawHub plugins
 openclaw plugins install <package>                      # ClawHub first, then npm
 openclaw plugins install clawhub:<package>              # ClawHub only
 openclaw plugins install npm:<package>                  # npm only
@@ -82,6 +86,10 @@ openclaw plugins install <plugin> --marketplace https://github.com/<owner>/<repo
 Bare package names are checked against ClawHub first, then npm. Treat plugin installs like running code. Prefer pinned versions.
 </Warning>
 
+`plugins search` queries ClawHub for installable plugin packages and prints
+install-ready package names. It searches code-plugin and bundle-plugin packages,
+not skills. Use `openclaw skills search` for ClawHub skills.
+
 <Note>
 ClawHub is the primary distribution and discovery surface for most plugins. Npm
 remains a supported fallback and direct-install path. During the migration to
@@ -217,6 +225,9 @@ openclaw plugins list
 openclaw plugins list --enabled
 openclaw plugins list --verbose
 openclaw plugins list --json
+openclaw plugins search <query>
+openclaw plugins search <query> --limit 20
+openclaw plugins search <query> --json
 ```
 
 <ParamField path="--enabled" type="boolean">
@@ -233,6 +244,11 @@ openclaw plugins list --json
 `plugins list` reads the persisted local plugin registry first, with a manifest-only derived fallback when the registry is missing or invalid. It is useful for checking whether a plugin is installed, enabled, and visible to cold startup planning, but it is not a live runtime probe of an already-running Gateway process. After changing plugin code, enablement, hook policy, or `plugins.load.paths`, restart the Gateway that serves the channel before expecting new `register(api)` code or hooks to run. For remote/container deployments, verify you are restarting the actual `openclaw gateway run` child, not only a wrapper process.
 </Note>
 
+`plugins search` is a remote ClawHub catalog lookup. It does not inspect local
+state, mutate config, install packages, or load plugin runtime code. Search
+results include the ClawHub package name, family, channel, version, summary, and
+an install hint such as `openclaw plugins install clawhub:<package>`.
+
 For bundled plugin work inside a packaged Docker image, bind-mount the plugin
 source directory over the matching packaged source path, such as
 `/app/extensions/synology-chat`. OpenClaw will discover that mounted source

docs/tools/clawhub.md

@@ -60,11 +60,14 @@ Site: [clawhub.ai](https://clawhub.ai)
   </Tab>
   <Tab title="Plugins">
     ```bash
+    openclaw plugins search "calendar"
     openclaw plugins install clawhub:<package>
     openclaw plugins update --all
     ```
 
-    Bare npm-safe plugin specs are also tried against ClawHub before npm:
+    `plugins search` queries the ClawHub plugin catalog and prints install-ready
+    package names. Bare npm-safe plugin specs are also tried against ClawHub
+    before npm:
 
     ```bash
     openclaw plugins install openclaw-codex-app-server

docs/tools/plugin.md

@@ -27,6 +27,12 @@ temporary set of OpenClaw-owned plugin packages while that migration finishes.
 
   <Step title="Install a plugin">
     ```bash
+    # Search ClawHub plugins
+    openclaw plugins search "calendar"
+
+    # From ClawHub
+    openclaw plugins install clawhub:openclaw-codex-app-server
+
     # From npm
     openclaw plugins install npm:@acme/openclaw-plugin
 
@@ -433,6 +439,7 @@ openclaw plugins list                       # compact inventory
 openclaw plugins list --enabled            # only enabled plugins
 openclaw plugins list --verbose            # per-plugin detail lines
 openclaw plugins list --json               # machine-readable inventory
+openclaw plugins search <query>            # search ClawHub plugin catalog
 openclaw plugins inspect <id>              # static detail
 openclaw plugins inspect <id> --runtime    # registered hooks/tools/CLI/gateway methods
 openclaw plugins inspect <id> --json       # machine-readable