fix: add ClawHub plugin display metadata

[thewilloftheshadow]

Summary

• Add openclaw.plugin.json name metadata for ClawHub-published plugins that were missing it.
• Improve package and manifest descriptions while preserving existing facts/credits, including Feishu/Lark's @m1heng maintainer note, NIP-04, zca-js, Codex app-server/catalog, LanceDB auto-recall/capture, OpenShell CLI details, and similar context.
• Include the current pixverse publishable plugin added on main.

Diagnosis

ClawHub package publishing resolves the card display name from openclaw.plugin.json.name before falling back to README/folder naming. The screenshot items with broken names (WhatsApp, Matrix, Discord, Feishu/Lark, Memory LanceDB, Brave) were missing manifest names, so publishing a .tgz made ClawHub title-case the tarball filename (openclaw-whatsapp-2026.5.26.tgz). Codex already had openclaw.plugin.json.name, which is why it rendered correctly.

Verification

• python3 JSON/metadata check for all publishable ClawHub plugin manifests and package descriptions
• targeted preservation check for existing description facts/credits (@m1heng, NIP-04, native zca-js, Codex app-server/catalog, LanceDB auto-recall/capture, OpenShell CLI details, etc.)
• git diff --check -- extensions
• pnpm release:plugins:clawhub:check

Real behavior proof

Behavior addressed: ClawHub-published plugin cards can use explicit manifest display names instead of title-casing uploaded tarball filenames, and summaries are clearer without dropping existing attribution/details.
Real environment tested: Local OpenClaw checkout metadata and release-check scripts.
Exact steps or command run after this patch: pnpm release:plugins:clawhub:check; git diff --check -- extensions; JSON parse/metadata assertion over ClawHub-published plugin manifests/package metadata; targeted description fact-preservation check.
Evidence after fix: All publishToClawHub plugins report non-empty manifest name and description; package descriptions are non-empty; plugin-clawhub-release-check reports publishable plugin metadata OK.
Observed result after fix: Release metadata validates for all ClawHub-published plugins.
What was not tested: Live ClawHub publish/render path.

[github-actions]

Dependency Changes Detected

This PR changes dependency-related files. Maintainers should confirm these changes are intentional.

Changed files:

• extensions/acpx/package.json
• extensions/amazon-bedrock-mantle/package.json
• extensions/amazon-bedrock/package.json
• extensions/anthropic-vertex/package.json
• extensions/brave/package.json
• extensions/codex/package.json
• extensions/diagnostics-otel/package.json
• extensions/diagnostics-prometheus/package.json
• extensions/diffs/package.json
• extensions/discord/package.json
• extensions/feishu/package.json
• extensions/google-meet/package.json
• extensions/googlechat/package.json
• extensions/line/package.json
• extensions/lobster/package.json
• extensions/matrix/package.json
• extensions/memory-lancedb/package.json
• extensions/msteams/package.json
• extensions/nextcloud-talk/package.json
• extensions/nostr/package.json
• extensions/openshell/package.json
• extensions/pixverse/package.json
• extensions/qqbot/package.json
• extensions/slack/package.json
• extensions/synology-chat/package.json
• 6 additional dependency-related files not shown

Maintainer follow-up:

• Review whether the dependency changes are intentional.
• Inspect resolved package deltas when lockfile, shrinkwrap, or workspace dependency policy changes are present.
• Treat package-lock.json and npm-shrinkwrap.json diffs as security-review surfaces.
• Run pnpm deps:changes:report -- --base-ref origin/main --markdown /tmp/dependency-changes.md --json /tmp/dependency-changes.json locally for detailed release-style evidence.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​silk-wasm@​3.7.1
	npm/​mpg123-decoder@​1.0.3
	npm/​audio-decode@​2.2.3
	npm/​zca-js@​2.1.2
	npm/​baileys@​7.0.0-rc13
	npm/​nostr-tools@​2.23.5

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Low adoption: npm fast-wrap-ansi Location: Package overview From: extensions/acpx/npm-shrinkwrap.json → npm/acpx@0.10.0 → npm/fast-wrap-ansi@0.2.2 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-wrap-ansi@0.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm silk-wasm Location: Package overview From: extensions/qqbot/npm-shrinkwrap.json → npm/silk-wasm@3.7.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/silk-wasm@3.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm whatsapp-rust-bridge Location: Package overview From: extensions/whatsapp/npm-shrinkwrap.json → npm/baileys@7.0.0-rc13 → npm/whatsapp-rust-bridge@0.5.4 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/whatsapp-rust-bridge@0.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[thewilloftheshadow]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Failed
• Detail: The targeted re-review did not finish cleanly. Check the workflow run for details.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26526357403
• Updated: 2026-05-27T17:20:12.249Z