fix: restrict remote marketplace plugin sources

2026-05-03 14:20:29 +00:00 · 2026-03-22 22:44:55 -07:00
parent 09faed6bd8
commit c036e4d176
4 changed files with 250 additions and 3 deletions
--- a/docs/cli/plugins.md
+++ b/docs/cli/plugins.md
@@ -120,6 +120,11 @@ Marketplace sources can be:
 - a GitHub repo shorthand such as `owner/repo`
 - a git URL

+For remote marketplaces loaded from GitHub or git, plugin entries must stay
+inside the cloned marketplace repo. OpenClaw accepts relative path sources from
+that repo and rejects external git, GitHub, URL/archive, and absolute-path
+plugin sources from remote manifests.
+
 For local paths and archives, OpenClaw auto-detects:

 - native OpenClaw plugins (`openclaw.plugin.json`)