From 5c447f53d71e9ecc3ae98683bf837386afa284c7 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Fri, 1 May 2026 17:34:46 -0700 Subject: [PATCH] docs(plugins): document clawhub clawpack installs --- docs/cli/plugins.md | 2 +- docs/tools/clawhub.md | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/cli/plugins.md b/docs/cli/plugins.md index e3be5bb98cd..3dc42428f03 100644 --- a/docs/cli/plugins.md +++ b/docs/cli/plugins.md @@ -164,7 +164,7 @@ openclaw plugins install npm:openclaw-codex-app-server openclaw plugins install npm:@scope/plugin-name@1.0.1 ``` -OpenClaw downloads the package archive from ClawHub, checks the advertised plugin API / minimum gateway compatibility, then installs it through the normal archive path. Recorded installs keep their ClawHub source metadata for later updates. +OpenClaw checks the advertised plugin API / minimum gateway compatibility before install. When the selected ClawHub version publishes a ClawPack artifact, OpenClaw downloads the versioned ClawPack, verifies the ClawHub digest header and the artifact digest, then installs it through the normal archive path. Older ClawHub versions without ClawPack metadata still install through the legacy package archive verification path. Recorded installs keep their ClawHub source metadata and ClawPack digest facts for later updates. Unversioned ClawHub installs keep an unversioned recorded spec so `openclaw plugins update` can follow newer ClawHub releases; explicit version or tag selectors such as `clawhub:pkg@1.2.3` and `clawhub:pkg@beta` remain pinned to that selector. #### Marketplace shorthand diff --git a/docs/tools/clawhub.md b/docs/tools/clawhub.md index 543ea2a3383..6e5f1a68c62 100644 --- a/docs/tools/clawhub.md +++ b/docs/tools/clawhub.md @@ -80,7 +80,11 @@ Site: [clawhub.ai](https://clawhub.ai) Plugin installs validate advertised `pluginApi` and `minGatewayVersion` compatibility before archive install runs, so incompatible hosts fail closed early instead of partially installing - the package. + the package. When a package version publishes a ClawPack artifact, + OpenClaw prefers that artifact, verifies the ClawHub digest header and + downloaded bytes, and records the ClawPack digest metadata for later + updates. Older package versions without ClawPack metadata still use the + legacy package archive verification path.