From 39bc94e4ddf522bf9a309b5e0a48052602f6d8c9 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Sun, 3 May 2026 00:22:09 -0700
Subject: [PATCH] fix(onboarding): trust official optional plugin installs

---
 CHANGELOG.md                              | 1 +
 src/wizard/setup.official-plugins.test.ts | 1 +
 src/wizard/setup.official-plugins.ts      | 2 ++
 3 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 48899d58478..384762f9aa2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- Plugins/onboarding: trust optional official plugin installs selected from the official catalog so npm security scanning treats them like other source-linked official install paths. Thanks @vincentkoc.
 - CLI/plugins: keep `plugins enable` and `plugins disable` from creating unconfigured channel config sections, so channel plugins with required setup fields no longer fail validation during lifecycle probes. Thanks @vincentkoc.
 - Agents/sessions: keep delayed `sessions_send` A2A replies alive after soft wait-window timeouts, while preserving terminal run timeouts and avoiding stale target replies in requester sessions. Fixes #76443. Thanks @ryswork1993 and @vincentkoc.
 - CLI/sessions: keep intentional empty agent replies silent after tool-delivered channel output, instead of surfacing a misleading "No reply from agent." fallback. Thanks @vincentkoc.
diff --git a/src/wizard/setup.official-plugins.test.ts b/src/wizard/setup.official-plugins.test.ts
index bdb8e682c0e..f332064cbd2 100644
--- a/src/wizard/setup.official-plugins.test.ts
+++ b/src/wizard/setup.official-plugins.test.ts
@@ -112,6 +112,7 @@ describe("setupOfficialPluginInstalls", () => {
       expect.objectContaining({
         entry: expect.objectContaining({
           pluginId: "diagnostics-otel",
+          trustedSourceLinkedOfficialInstall: true,
           install: expect.objectContaining({
             clawhubSpec: "clawhub:@openclaw/diagnostics-otel",
             npmSpec: "@openclaw/diagnostics-otel",
diff --git a/src/wizard/setup.official-plugins.ts b/src/wizard/setup.official-plugins.ts
index 248c8e2ab6a..08f8163ab96 100644
--- a/src/wizard/setup.official-plugins.ts
+++ b/src/wizard/setup.official-plugins.ts
@@ -18,6 +18,7 @@ export type OfficialPluginOnboardingInstallEntry = {
   label: string;
   description?: string;
   install: PluginPackageInstall;
+  trustedSourceLinkedOfficialInstall?: boolean;
 };
 
 function isInstalledOrConfigured(config: OpenClawConfig, pluginId: string): boolean {
@@ -76,6 +77,7 @@ export function resolveOfficialPluginOnboardingInstallEntries(params: {
       label: resolveOfficialExternalPluginLabel(entry),
       ...(entry.description ? { description: entry.description } : {}),
       install,
+      trustedSourceLinkedOfficialInstall: true,
     });
   }
   return entries.toSorted((left, right) => left.label.localeCompare(right.label));