openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/.generated/config-baseline.sha256‎
Lines changed: 4 additions & 4 deletions b/‎docs/.generated/config-baseline.sha256‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/cli/crestodian.md‎
Lines changed: 11 additions & 0 deletions b/‎docs/cli/crestodian.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎docs/cli/plugins.md‎
Lines changed: 16 additions & 0 deletions b/‎docs/cli/plugins.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎docs/tools/clawhub.md‎
Lines changed: 4 additions & 1 deletion b/‎docs/tools/clawhub.md‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎docs/tools/plugin.md‎
Lines changed: 7 additions & 0 deletions b/‎docs/tools/plugin.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/cli/plugins-cli-test-helpers.ts‎
Lines changed: 2 additions & 0 deletions b/‎src/cli/plugins-cli-test-helpers.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/cli/plugins-cli.ts‎
Lines changed: 19 additions & 174 deletions b/‎src/cli/plugins-cli.ts‎
Lines changed: 19 additions & 174 deletions
@@ -13,6 +13,7 @@ Docs: https://docs.openclaw.ai
 - Plugins/ClawHub: prefer versioned ClawPack artifacts when ClawHub publishes digest metadata, verifying the ClawPack response header and downloaded bytes before installing. Thanks @vincentkoc.
 - Plugins/ClawHub: persist ClawPack digest metadata on ClawHub plugin install and update records so registry refreshes and download verification can reuse stored artifact facts. Thanks @vincentkoc.
 - Plugins/ClawHub: allow official bundled-plugin cutovers to prefer ClawHub installs with npm fallback only when the ClawHub package or version is absent. Thanks @vincentkoc.
+- Plugins/Crestodian: add ClawHub plugin search plus Crestodian plugin list/search/install/uninstall operations, with approval and audit coverage for install and uninstall.
 - Providers/OpenAI: add `extraBody`/`extra_body` passthrough for OpenAI-compatible TTS endpoints, so custom speech servers can receive fields such as `lang` in `/audio/speech` requests. Fixes #39900. Thanks @R3NK0R.
 - Dependencies: refresh workspace dependency pins, including TypeBox 1.1.37, AWS SDK 3.1041.0, Microsoft Teams 2.0.9, and Marked 18.0.3. Thanks @mariozechner, @aws, and @microsoft.
 - Discord/channels: add reusable message-channel access groups plus Discord channel-audience DM authorization, so allowlists can reference `accessGroup:<name>` across channel auth paths. (#75813)
 
@@ -1,4 +1,4 @@
-35224e7970e71225a51482432f1618ae3b54be9615956d8554a0e2df3d263bc8  config-baseline.json
-80e6e8dce647aef2d1310de55a81d27de52cca47fc24bd7ad81b80f43a72b84c  config-baseline.core.json
-eab8a85eefa2792fb8b98a07698e5ec31ff0b6f8af6222767e8049dcc5c4f529  config-baseline.channel.json
-af71b84b2411d8ccabcc6e09de0ee41f8212ff9869a6677698b6e7e3afdfaa47  config-baseline.plugin.json
+ae25cb1d397f1ea9642047ef13d35300c807cb1cd67f681c0b5af83b572b3638  config-baseline.json
+0a1907d595765b8bb7a41348d14323920ab50e402be49a19a45a4e2499306407  config-baseline.core.json
+c401cd3450f1737bc92418cfea301d20b54b7fbef9e6049834acc01af338e538  config-baseline.channel.json
+7731a0b93cb335b56fac4c807447ba659fea51ea7a6cd844dc0ef5616669ee75  config-baseline.plugin.json
@@ -71,6 +71,10 @@ agents
 create agent work workspace ~/Projects/work
 models
 set default model openai/gpt-5.5
+plugins list
+plugins search slack
+plugin install clawhub:openclaw-codex-app-server
+plugin uninstall openclaw-codex-app-server
 talk to work agent
 talk to agent for ~/Projects/work
 audit
@@ -99,6 +103,8 @@ Read-only operations can run immediately:
 
 - show overview
 - list agents
+- list installed plugins
+- search ClawHub plugins
 - show model/backend status
 - run status or health checks
 - check Gateway reachability
@@ -116,6 +122,8 @@ you pass `--yes` for a direct command:
 - change the default model
 - start, stop, or restart the Gateway
 - create agents
+- install plugins from ClawHub or npm
+- uninstall plugins
 - run doctor repairs that rewrite config or state
 
 Applied writes are recorded in:
@@ -240,6 +248,9 @@ Security contract for remote rescue:
 - Require an explicit owner identity. Rescue must not accept wildcard sender
   rules, open group policy, unauthenticated webhooks, or anonymous channels.
 - Owner DMs only by default. Group/channel rescue requires explicit opt-in.
+- Plugin search and list are read-only. Plugin install is local-only by default
+  because it downloads executable code. Plugin uninstall can be allowed as an
+  approved repair operation when rescue policy permits persistent writes.
 - Remote rescue cannot open the local TUI or switch into an interactive agent
   session. Use local `openclaw` for agent handoff.
 - Persistent writes still require approval, even in rescue mode.
 
@@ -31,6 +31,9 @@ openclaw plugins list
 openclaw plugins list --enabled
 openclaw plugins list --verbose
 openclaw plugins list --json
+openclaw plugins search <query>
+openclaw plugins search <query> --limit 20
+openclaw plugins search <query> --json
 openclaw plugins install <path-or-spec>
 openclaw plugins inspect <id>
 openclaw plugins inspect <id> --runtime
@@ -64,6 +67,7 @@ Native OpenClaw plugins must ship `openclaw.plugin.json` with an inline JSON Sch
 ### Install
 
 ```bash
+openclaw plugins search "calendar"                   # search ClawHub plugins
 openclaw plugins install <package>                      # ClawHub first, then npm
 openclaw plugins install clawhub:<package>              # ClawHub only
 openclaw plugins install npm:<package>                  # npm only
@@ -82,6 +86,10 @@ openclaw plugins install <plugin> --marketplace https://github.com/<owner>/<repo
 Bare package names are checked against ClawHub first, then npm. Treat plugin installs like running code. Prefer pinned versions.
 </Warning>
 
+`plugins search` queries ClawHub for installable plugin packages and prints
+install-ready package names. It searches code-plugin and bundle-plugin packages,
+not skills. Use `openclaw skills search` for ClawHub skills.
+
 <Note>
 ClawHub is the primary distribution and discovery surface for most plugins. Npm
 remains a supported fallback and direct-install path. During the migration to
@@ -217,6 +225,9 @@ openclaw plugins list
 openclaw plugins list --enabled
 openclaw plugins list --verbose
 openclaw plugins list --json
+openclaw plugins search <query>
+openclaw plugins search <query> --limit 20
+openclaw plugins search <query> --json
 ```
 
 <ParamField path="--enabled" type="boolean">
@@ -233,6 +244,11 @@ openclaw plugins list --json
 `plugins list` reads the persisted local plugin registry first, with a manifest-only derived fallback when the registry is missing or invalid. It is useful for checking whether a plugin is installed, enabled, and visible to cold startup planning, but it is not a live runtime probe of an already-running Gateway process. After changing plugin code, enablement, hook policy, or `plugins.load.paths`, restart the Gateway that serves the channel before expecting new `register(api)` code or hooks to run. For remote/container deployments, verify you are restarting the actual `openclaw gateway run` child, not only a wrapper process.
 </Note>
 
+`plugins search` is a remote ClawHub catalog lookup. It does not inspect local
+state, mutate config, install packages, or load plugin runtime code. Search
+results include the ClawHub package name, family, channel, version, summary, and
+an install hint such as `openclaw plugins install clawhub:<package>`.
+
 For bundled plugin work inside a packaged Docker image, bind-mount the plugin
 source directory over the matching packaged source path, such as
 `/app/extensions/synology-chat`. OpenClaw will discover that mounted source
 
@@ -60,11 +60,14 @@ Site: [clawhub.ai](https://clawhub.ai)
   </Tab>
   <Tab title="Plugins">
     ```bash
+    openclaw plugins search "calendar"
     openclaw plugins install clawhub:<package>
     openclaw plugins update --all
     ```
 
-    Bare npm-safe plugin specs are also tried against ClawHub before npm:
+    `plugins search` queries the ClawHub plugin catalog and prints install-ready
+    package names. Bare npm-safe plugin specs are also tried against ClawHub
+    before npm:
 
     ```bash
     openclaw plugins install openclaw-codex-app-server
 
@@ -27,6 +27,12 @@ temporary set of OpenClaw-owned plugin packages while that migration finishes.
 
   <Step title="Install a plugin">
     ```bash
+    # Search ClawHub plugins
+    openclaw plugins search "calendar"
+
+    # From ClawHub
+    openclaw plugins install clawhub:openclaw-codex-app-server
+
     # From npm
     openclaw plugins install npm:@acme/openclaw-plugin
 
@@ -433,6 +439,7 @@ openclaw plugins list                       # compact inventory
 openclaw plugins list --enabled            # only enabled plugins
 openclaw plugins list --verbose            # per-plugin detail lines
 openclaw plugins list --json               # machine-readable inventory
+openclaw plugins search <query>            # search ClawHub plugin catalog
 openclaw plugins inspect <id>              # static detail
 openclaw plugins inspect <id> --runtime    # registered hooks/tools/CLI/gateway methods
 openclaw plugins inspect <id> --json       # machine-readable
 
@@ -151,6 +151,8 @@ function restoreRuntimeCaptureMocks() {
 
 vi.mock("../runtime.js", () => ({
   defaultRuntime,
+  writeRuntimeJson: (runtime: CliMockOutputRuntime, value: unknown, space = 2) =>
+    runtime.writeJson(value, space),
 }));
 
 vi.mock("../config/config.js", () => ({
 
@@ -1,17 +1,10 @@
-import os from "node:os";
-import path from "node:path";
 import type { Command } from "commander";
 import { getRuntimeConfig, readConfigFileSnapshot, replaceConfigFile } from "../config/config.js";
-import { resolveStateDir } from "../config/paths.js";
 import type { OpenClawConfig } from "../config/types.openclaw.js";
-import {
-  tracePluginLifecyclePhase,
-  tracePluginLifecyclePhaseAsync,
-} from "../plugins/plugin-lifecycle-trace.js";
+import { tracePluginLifecyclePhaseAsync } from "../plugins/plugin-lifecycle-trace.js";
 import { defaultRuntime } from "../runtime.js";
 import { formatDocsLink } from "../terminal/links.js";
 import { theme } from "../terminal/theme.js";
-import { shortenHomePath } from "../utils.js";
 import type { PluginInspectOptions } from "./plugins-inspect-command.js";
 import type { PluginsListOptions } from "./plugins-list-command.js";
 import { applyParentDefaultHelpAction } from "./program/parent-default-help.js";
@@ -26,6 +19,11 @@ export type PluginMarketplaceListOptions = {
   json?: boolean;
 };
 
+export type PluginSearchOptions = {
+  json?: boolean;
+  limit?: number;
+};
+
 export type PluginUninstallOptions = {
   keepFiles?: boolean;
   /** @deprecated Use keepFiles. */
@@ -74,6 +72,17 @@ export function registerPluginsCli(program: Command) {
       await runPluginsListCommand(opts);
     });
 
+  plugins
+    .command("search")
+    .description("Search ClawHub plugin packages")
+    .argument("[query...]", "Search query")
+    .option("--limit <n>", "Max results", (value) => Number.parseInt(value, 10))
+    .option("--json", "Print JSON", false)
+    .action(async (queryParts: string[], opts: PluginSearchOptions) => {
+      const { runPluginsSearchCommand } = await import("./plugins-search-command.js");
+      await runPluginsSearchCommand(queryParts, opts);
+    });
+
   plugins
     .command("inspect")
     .alias("info")
@@ -162,172 +171,8 @@ export function registerPluginsCli(program: Command) {
     .option("--force", "Skip confirmation prompt", false)
     .option("--dry-run", "Show what would be removed without making changes", false)
     .action(async (id: string, opts: PluginUninstallOptions) => {
-      const {
-        loadInstalledPluginIndexInstallRecords,
-        removePluginInstallRecordFromRecords,
-        withoutPluginInstallRecords,
-        withPluginInstallRecords,
-      } = await import("../plugins/installed-plugin-index-records.js");
-      const { buildPluginSnapshotReport } = await import("../plugins/status.js");
-      const {
-        applyPluginUninstallDirectoryRemoval,
-        formatUninstallActionLabels,
-        formatUninstallSlotResetPreview,
-        planPluginUninstall,
-        resolveUninstallChannelConfigKeys,
-        UNINSTALL_ACTION_LABELS,
-      } = await import("../plugins/uninstall.js");
-      const { commitPluginInstallRecordsWithConfig } =
-        await import("./plugins-install-record-commit.js");
-      const { refreshPluginRegistryAfterConfigMutation } =
-        await import("./plugins-registry-refresh.js");
-      const { resolvePluginUninstallId } = await import("./plugins-uninstall-selection.js");
-      const { promptYesNo } = await import("./prompt.js");
-      const snapshot = await tracePluginLifecyclePhaseAsync(
-        "config read",
-        () => readConfigFileSnapshot(),
-        { command: "uninstall" },
-      );
-      const sourceConfig = (snapshot.sourceConfig ?? snapshot.config) as OpenClawConfig;
-      const installRecords = await tracePluginLifecyclePhaseAsync(
-        "install records load",
-        () => loadInstalledPluginIndexInstallRecords(),
-        { command: "uninstall" },
-      );
-      const cfg = withPluginInstallRecords(sourceConfig, installRecords);
-      const report = tracePluginLifecyclePhase(
-        "plugin registry snapshot",
-        () => buildPluginSnapshotReport({ config: cfg }),
-        { command: "uninstall" },
-      );
-      const extensionsDir = path.join(resolveStateDir(process.env, os.homedir), "extensions");
-      const keepFiles = Boolean(opts.keepFiles || opts.keepConfig);
-
-      if (opts.keepConfig) {
-        defaultRuntime.log(theme.warn("`--keep-config` is deprecated, use `--keep-files`."));
-      }
-
-      const { plugin, pluginId } = resolvePluginUninstallId({
-        rawId: id,
-        config: cfg,
-        plugins: report.plugins,
-      });
-      const hasEntry = pluginId in (cfg.plugins?.entries ?? {});
-      const hasInstall = pluginId in (cfg.plugins?.installs ?? {});
-
-      if (!hasEntry && !hasInstall) {
-        if (plugin) {
-          defaultRuntime.error(
-            `Plugin "${pluginId}" is not managed by plugins config/install records and cannot be uninstalled.`,
-          );
-        } else {
-          defaultRuntime.error(`Plugin not found: ${id}`);
-        }
-        return defaultRuntime.exit(1);
-      }
-
-      const channelIds = plugin?.status === "loaded" ? plugin.channelIds : undefined;
-      const plan = planPluginUninstall({
-        config: cfg,
-        pluginId,
-        channelIds,
-        deleteFiles: !keepFiles,
-        extensionsDir,
-      });
-      if (!plan.ok) {
-        defaultRuntime.error(plan.error);
-        return defaultRuntime.exit(1);
-      }
-
-      const preview: string[] = [];
-      if (plan.actions.entry) {
-        preview.push(UNINSTALL_ACTION_LABELS.entry);
-      }
-      if (plan.actions.install) {
-        preview.push(UNINSTALL_ACTION_LABELS.install);
-      }
-      if (plan.actions.allowlist) {
-        preview.push(UNINSTALL_ACTION_LABELS.allowlist);
-      }
-      if (plan.actions.denylist) {
-        preview.push(UNINSTALL_ACTION_LABELS.denylist);
-      }
-      if (plan.actions.loadPath) {
-        preview.push(UNINSTALL_ACTION_LABELS.loadPath);
-      }
-      if (plan.actions.memorySlot) {
-        preview.push(formatUninstallSlotResetPreview("memory"));
-      }
-      if (plan.actions.contextEngineSlot) {
-        preview.push(formatUninstallSlotResetPreview("contextEngine"));
-      }
-      const channels = cfg.channels as Record<string, unknown> | undefined;
-      if (plan.actions.channelConfig && hasInstall && channels) {
-        for (const key of resolveUninstallChannelConfigKeys(pluginId, { channelIds })) {
-          if (Object.hasOwn(channels, key)) {
-            preview.push(`${UNINSTALL_ACTION_LABELS.channelConfig} (channels.${key})`);
-          }
-        }
-      }
-      if (plan.directoryRemoval) {
-        preview.push(`directory: ${shortenHomePath(plan.directoryRemoval.target)}`);
-      }
-
-      const pluginName = plugin?.name || pluginId;
-      defaultRuntime.log(
-        `Plugin: ${theme.command(pluginName)}${pluginName !== pluginId ? theme.muted(` (${pluginId})`) : ""}`,
-      );
-      defaultRuntime.log(`Will remove: ${preview.length > 0 ? preview.join(", ") : "(nothing)"}`);
-
-      if (opts.dryRun) {
-        defaultRuntime.log(theme.muted("Dry run, no changes made."));
-        return;
-      }
-
-      if (!opts.force) {
-        const confirmed = await promptYesNo(`Uninstall plugin "${pluginId}"?`);
-        if (!confirmed) {
-          defaultRuntime.log("Cancelled.");
-          return;
-        }
-      }
-
-      const nextInstallRecords = removePluginInstallRecordFromRecords(installRecords, pluginId);
-      const nextConfig = withoutPluginInstallRecords(plan.config);
-      await tracePluginLifecyclePhaseAsync(
-        "config mutation",
-        () =>
-          commitPluginInstallRecordsWithConfig({
-            previousInstallRecords: installRecords,
-            nextInstallRecords,
-            nextConfig,
-            ...(snapshot.hash !== undefined ? { baseHash: snapshot.hash } : {}),
-          }),
-        { command: "uninstall" },
-      );
-      const directoryResult = await applyPluginUninstallDirectoryRemoval(plan.directoryRemoval);
-      for (const warning of directoryResult.warnings) {
-        defaultRuntime.log(theme.warn(warning));
-      }
-      await refreshPluginRegistryAfterConfigMutation({
-        config: nextConfig,
-        reason: "source-changed",
-        installRecords: nextInstallRecords,
-        traceCommand: "uninstall",
-        logger: {
-          warn: (message) => defaultRuntime.log(theme.warn(message)),
-        },
-      });
-
-      const removed = formatUninstallActionLabels({
-        ...plan.actions,
-        directory: directoryResult.directoryRemoved,
-      });
-
-      defaultRuntime.log(
-        `Uninstalled plugin "${pluginId}". Removed: ${removed.length > 0 ? removed.join(", ") : "nothing"}.`,
-      );
-      defaultRuntime.log("Restart the gateway to apply changes.");
+      const { runPluginUninstallCommand } = await import("./plugins-uninstall-command.js");
+      await runPluginUninstallCommand(id, opts);
     });
 
   plugins