Plugin install should guard WhatsApp plugin/core version compatibility

[VishalJ99]

Summary

While trying to recover a WhatsApp relink by reinstalling the WhatsApp plugin, a floating plugin install pulled a newer @openclaw/whatsapp package into an older local OpenClaw source checkout and the plugin failed to load because it expected a newer core/plugin SDK API.

Observed behavior

On a source checkout that reported 2026.5.10-beta.1, running a floating install like this:

openclaw plugins install @openclaw/whatsapp

installed the then-latest package version 2026.5.20. Loading that package failed with an API mismatch:

createSetupTranslator is not a function

Restoring the bundled source plugin made WhatsApp load again.

Expected behavior

One of these would avoid a confusing recovery path:

• openclaw plugins install @openclaw/whatsapp chooses a plugin package version compatible with the running OpenClaw core version.
• Or the installer refuses the install with a clear compatibility error and suggests either updating OpenClaw core or installing an exact matching plugin version.
• Or bundled channel plugins are preferred unless the operator explicitly opts into an external package override.

Why it matters

When WhatsApp auth is already broken, openclaw plugins install @openclaw/whatsapp looks like a plausible recovery step. If it silently installs a package built against a newer core API, the operator ends up with an additional plugin-load failure that obscures the original WhatsApp auth problem.

Related WhatsApp recovery documentation/issues from the same field run: #85866, #85867, #85868.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Latest ClawSweeper review: 2026-05-23 23:37 UTC / May 23, 2026, 7:37 PM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open: current main has a min-host install guard, but the WhatsApp package still advertises a newer plugin API/OpenClaw peer requirement than its install floor, and the npm install path does not select a compatible package version or reject that API mismatch before install.

Reproducibility: yes. from source inspection: a host like 2026.5.10-beta.1 would satisfy WhatsApp's current minHostVersion floor while the same package metadata says the plugin API/OpenClaw peer requirement is >=2026.5.22. The npm install validation path only enforces minHostVersion, so the reported mismatch remains source-reproducible without running a live install.

Next step
The bug has a clear source-backed failure boundary in package install compatibility checks and can be addressed by one focused PR with installer and metadata tests.

Review details

Best possible solution:

Make external package install fail closed before persisting a plugin when package metadata declares an OpenClaw/plugin API newer than the running host, and add a regression test for the WhatsApp version-skew case.

Do we have a high-confidence way to reproduce the issue?

Yes, from source inspection: a host like 2026.5.10-beta.1 would satisfy WhatsApp's current minHostVersion floor while the same package metadata says the plugin API/OpenClaw peer requirement is >=2026.5.22. The npm install validation path only enforces minHostVersion, so the reported mismatch remains source-reproducible without running a live install.

Is this the best way to solve the issue?

No, the current implementation is not the best solution because direct npm install lacks the compatibility gate already present for ClawHub. The maintainable fix is a generic package-install compatibility check plus aligned WhatsApp metadata, not a WhatsApp-only recovery special case.

Label changes:

• add P2: This is a concrete plugin installation compatibility bug with a confusing channel recovery failure but limited blast radius to external/floating plugin installs.
• add issue-rating: 🦞 diamond lobster: Current issue advisory state selects this label.
• add clawsweeper:source-repro: Current issue advisory state selects this label.
• add clawsweeper:queueable-fix: Current issue advisory state selects this label.
• add clawsweeper:fix-shape-clear: Current issue advisory state selects this label.

Label justifications:

• P2: This is a concrete plugin installation compatibility bug with a confusing channel recovery failure but limited blast radius to external/floating plugin installs.

Acceptance criteria:

• node scripts/run-vitest.mjs src/plugins/install.test.ts src/plugins/install.npm-spec.test.ts src/cli/plugins-cli.install.test.ts src/plugins/manifest-registry.test.ts
• node scripts/run-vitest.mjs src/plugins/official-external-plugin-catalog.test.ts src/channels/plugins/contracts/channel-catalog.contract.test.ts

What I checked:

• WhatsApp metadata mismatch: Current WhatsApp package metadata declares peerDependencies.openclaw as >=2026.5.22 and openclaw.compat.pluginApi as >=2026.5.22, but openclaw.install.minHostVersion remains >=2026.4.25, so an older 2026.5.x host can pass the install floor even though the plugin says it needs a newer API. (extensions/whatsapp/package.json:21, a1c2d093c2f9)
• Npm/package install only enforces minHostVersion: Package validation reads package.json#openclaw.install.minHostVersion and returns incompatibility errors from that single host-version check; no comparable npm-package check was found for openclaw.compat.pluginApi or peerDependencies.openclaw. (src/plugins/install.ts:1394, a1c2d093c2f9)
• Npm install path reaches package install without compatibility selection: Scoped npm installs such as @openclaw/whatsapp resolve through the npm install path with trusted official metadata and expected plugin id, but that path does not choose a host-compatible npm version or pass a plugin API compatibility requirement. (src/cli/plugins-install-command.ts:973, a1c2d093c2f9)
• ClawHub already has the stronger compatibility shape: The ClawHub installer rejects packages whose pluginApiRange or minimum gateway version is incompatible with the current runtime, showing the desired fail-closed behavior exists for ClawHub but not the direct npm path reported here. (src/plugins/clawhub.ts:994, a1c2d093c2f9)
• Documented install contract: The plugin manifest docs say openclaw.install.minHostVersion is enforced during install and non-bundled registry loading; the current WhatsApp metadata does not align that enforced field with its newer plugin API requirement. Public docs: docs/plugins/manifest.md. (docs/plugins/manifest.md:1200, a1c2d093c2f9)
• History provenance: Recent blame/history for the install guard, npm install routing, ClawHub compatibility guard, and WhatsApp package metadata points at the shallow-boundary commit plus subsequent plugin-metadata and WhatsApp work as the relevant area history. (src/plugins/install.ts:1394, 4c210e22fa97)

Likely related people:

• Peter Steinberger: Blame on the install minHostVersion guard, npm install routing, ClawHub compatibility check, and WhatsApp package metadata points to commit 4c210e2; later plugin metadata stability work also touched src/plugins. (role: recent installer and plugin metadata contributor; confidence: high; commits: 4c210e22fa97, 431467405486, d4299dcbaa53; files: src/plugins/install.ts, src/cli/plugins-install-command.ts, src/plugins/clawhub.ts)
• Kevin Lin: Recent WhatsApp feature work changed many runtime and approval files, making this a useful routing candidate for WhatsApp package/runtime compatibility context. (role: recent WhatsApp area contributor; confidence: medium; commits: 5fbaf2a8a236; files: extensions/whatsapp/src/approval-handler.runtime.ts, extensions/whatsapp/src/approval-native.ts, extensions/whatsapp/src/runtime.ts)
• Youssef Hemimy: Recent WhatsApp auto-reply fix touched the channel runtime surface adjacent to the reported plugin load failure context. (role: recent WhatsApp area contributor; confidence: medium; commits: f0ec7309fc87; files: extensions/whatsapp/src/auto-reply/monitor/inbound-dispatch.ts, extensions/whatsapp/src/auto-reply/monitor/inbound-dispatch.test.ts)

Remaining risk / open question:

• I did not run a live npm install because this review is read-only; the reproduction is source-backed rather than runtime-executed.
• Already-published npm package metadata cannot be fixed retroactively, so a robust fix may need generic package install compatibility checks rather than only changing the current WhatsApp package metadata.

Codex review notes: model gpt-5.5, reasoning high; reviewed against a1c2d093c2f9.

[jingchang0623-crypto]

This is a real-world pain point! We encountered a similar version mismatch scenario in our production setup.

The Problem Pattern:

• Floating installs (npm install <package>) can silently pull newer versions
• Older core APIs may not support new plugin features
• Recovery becomes manual (npm install @openclaw/whatsapp@<specific-version>)

Suggested Guard Approach:

# Pseudo-code for plugin install guard
CORE_VERSION=$(openclaw --version)
PLUGIN_COMPAT=$(cat node_modules/@openclaw/<plugin>/package.json | jq -r '.engines.openclaw // empty')

if [ -n "$PLUGIN_COMPAT" ] && ! semver satisfied "$CORE_VERSION" "$PLUGIN_COMPAT"; then
  echo "⚠️ Plugin requires OpenClaw $PLUGIN_COMPAT, but you have $CORE_VERSION"
  echo "Either: upgrade core, or pin plugin to compatible version"
  exit 1
fi

Also relevant: our openclaw-skill-security-scanner detects similar version/dependency issues in Skills.

Adding engines.openclaw field to plugin package.json would make this guard pattern enforceable! 🛡️