docs(plugins): explain catalog install trust

src/cli/plugins-cli.install.test.ts

@@ -1009,6 +1009,8 @@ describe("plugins cli install", () => {
 
     await runPluginsCommand(["plugins", "install", "@wecom/wecom-openclaw-plugin@latest"]);
 
+    // Alternate selectors stay trusted by catalog package name, but must not
+    // inherit catalog integrity unless the install spec matches exactly.
     expect(installPluginFromNpmSpec).toHaveBeenCalledWith(
       expect.objectContaining({
         spec: "@wecom/wecom-openclaw-plugin@latest",

src/cli/plugins-install-command.ts

@@ -71,6 +71,9 @@ function findTrustedCatalogPackageInstall(packageName: string):
       expectedIntegrity?: string;
     }
   | undefined {
+  // The catalog is the trust list. Raw npm selectors such as
+  // @scope/pkg@latest inherit install-scan trust when their package name is
+  // cataloged; integrity remains tied to exact catalog specs in the planner.
   const entry = getOfficialExternalPluginCatalogEntryForPackage(packageName);
   if (!entry) {
     return undefined;