openclaw plugins
Manage Gateway plugins/extensions and compatible bundles. Related: - Plugin system: Plugins
- Bundle compatibility: Plugin bundles
- Plugin manifest + schema: Plugin manifest
- Security hardening: Security
Commands
plugins enable to activate them. Native OpenClaw plugins must ship openclaw.plugin.json with an inline JSON Schema (configSchema, even if empty). Compatible bundles use their own bundle manifests instead. plugins list shows Format: openclaw or Format: bundle. Verbose list/info output also shows the bundle subtype (codex, claude, or cursor) plus detected bundle capabilities. Install
--ignore-scripts for safety. Bare specs and @latest stay on the stable track. If npm resolves either of those to a prerelease, OpenClaw stops and asks you to opt in explicitly with a prerelease tag such as @beta/@rc or an exact prerelease version such as @1.2.3-beta.4. If a bare install spec matches a bundled plugin id (for example diffs), OpenClaw installs the bundled plugin directly. To install an npm package with the same name, use an explicit scoped spec (for example @scope/diffs). Supported archives: .zip, .tgz, .tar.gz, .tar. Claude marketplace installs are also supported. Use plugin@marketplace shorthand when the marketplace name exists in Claude’s local registry cache at ~/.claude/plugins/known_marketplaces.json: --marketplace when you want to pass the marketplace source explicitly: - a Claude known-marketplace name from
~/.claude/plugins/known_marketplaces.json - a local marketplace root or
marketplace.jsonpath - a GitHub repo shorthand such as
owner/repo - a git URL
- native OpenClaw plugins (
openclaw.plugin.json) - Codex-compatible bundles (
.codex-plugin/plugin.json) - Claude-compatible bundles (
.claude-plugin/plugin.jsonor the default Claude component layout) - Cursor-compatible bundles (
.cursor-plugin/plugin.json)
settings.json defaults, Cursor command-skills, and compatible Codex hook directories are supported; other detected bundle capabilities are shown in diagnostics/info but are not yet wired into runtime execution. Use --link to avoid copying a local directory (adds to plugins.load.paths): --pin on npm installs to save the resolved exact spec (name@version) in plugins.installs while keeping the default behavior unpinned. Uninstall
uninstall removes plugin records from plugins.entries, plugins.installs, the plugin allowlist, and linked plugins.load.paths entries when applicable. For active memory plugins, the memory slot resets to memory-core. By default, uninstall also removes the plugin install directory under the active state dir extensions root ($OPENCLAW_STATE_DIR/extensions/<id>). Use --keep-files to keep files on disk. --keep-config is supported as a deprecated alias for --keep-files. Update
plugins.installs, currently npm and marketplace installs. When you pass a plugin id, OpenClaw reuses the recorded install spec for that plugin. That means previously stored dist-tags such as @beta and exact pinned versions continue to be used on later update <id> runs. For npm installs, you can also pass an explicit npm package spec with a dist-tag or exact version. OpenClaw resolves that package name back to the tracked plugin record, updates that installed plugin, and records the new npm spec for future id-based updates. When a stored integrity hash exists and the fetched artifact hash changes, OpenClaw prints a warning and asks for confirmation before proceeding. Use global --yes to bypass prompts in CI/non-interactive runs. Inspect
- plain-capability — one capability type (e.g. a provider-only plugin)
- hybrid-capability — multiple capability types (e.g. text + speech + images)
- hook-only — only hooks, no capabilities or surfaces
- non-capability — tools/commands/services but no capabilities
--json flag outputs a machine-readable report suitable for scripting and auditing. info is an alias for inspect.