diff --git a/src/cli/plugins-cli.install.test.ts b/src/cli/plugins-cli.install.test.ts
index c3e21744aa8..6a0d53451ce 100644
--- a/src/cli/plugins-cli.install.test.ts
+++ b/src/cli/plugins-cli.install.test.ts
@@ -1009,6 +1009,8 @@ describe("plugins cli install", () => {
 
     await runPluginsCommand(["plugins", "install", "@wecom/wecom-openclaw-plugin@latest"]);
 
+    // Alternate selectors stay trusted by catalog package name, but must not
+    // inherit catalog integrity unless the install spec matches exactly.
     expect(installPluginFromNpmSpec).toHaveBeenCalledWith(
       expect.objectContaining({
         spec: "@wecom/wecom-openclaw-plugin@latest",
diff --git a/src/cli/plugins-install-command.ts b/src/cli/plugins-install-command.ts
index 796c705139e..89e33e2a741 100644
--- a/src/cli/plugins-install-command.ts
+++ b/src/cli/plugins-install-command.ts
@@ -71,6 +71,9 @@ function findTrustedCatalogPackageInstall(packageName: string):
       expectedIntegrity?: string;
     }
   | undefined {
+  // The catalog is the trust list. Raw npm selectors such as
+  // @scope/pkg@latest inherit install-scan trust when their package name is
+  // cataloged; integrity remains tied to exact catalog specs in the planner.
   const entry = getOfficialExternalPluginCatalogEntryForPackage(packageName);
   if (!entry) {
     return undefined;