Is my package actually being scanned by VirusTotal?

No. The 423 error is a false negative caused by a bug in the local file path handling of scoped packages.

Does this affect all plugins?

It specifically affects scoped packages (e.g., @openclaw/plugin-name) because of the forward slash in the name.

Will waiting a few minutes fix it?

No. Since it is a local code bug in the OpenClaw CLI, waiting for the server will not resolve the issue.

Resolving the 423 VirusTotal Scan Pending Error in OpenClaw

TL;DR — Quick Fix

The 423 error is a local file path bug in OpenClaw v2026.3.24; you can work around it by sanitizing the package path during plugin installation.

Run Diagnostics

Next Step

Fix now, then reduce repeat incidents

If this issue keeps coming back, validate your setup in Doctor first, then harden your config.

Open Doctor Harden Config

Error Signal

ClawHub /api/v1/packages/%40openclaw%2Fmatrix/download failed (423)

What's Happening

You are seeing a "423: This package release is pending a security scan by VirusTotal" error when running openclaw plugins install. Despite the warning, this is not a legitimate security hold or a server-side issue. Your plugin installation is failing because of a local file system conflict when handling scoped packages.

The Fix

There is no server-side "fix" you need to wait for from the ClawHub team. The issue stems from how your local installation environment handles directory paths for scoped packages like @openclaw/matrix or @openclaw/msteams.

To bypass this, you need to ensure the local temporary directory handling does not collide with the forward slash in your scoped package name. If you are experiencing this on version 2026.3.24, you can manually override the plugin path or wait for the patch release. Currently, the most effective workaround is to verify if you have write access to your system's temp folder or to run the install command with administrative privileges to ensure the path expansion doesn't fail silently.

Why This Occurs

This is a regression introduced in OpenClaw v2026.3.24. As identified by community members, clawhub-CYHm55oG.js uses the package name directly to construct an archive path:

const archivePath = path.join(tmpDir, `${params.name}.zip`);

Because your package name contains a slash (e.g., @openclaw/matrix), path.join attempts to create a nested directory structure inside your /tmp directory instead of a flat zip file. This causes the file system operation to throw an error, which the CLI incorrectly translates into the misleading 423 status code from the server API.

Prevention

Avoid upgrading to v2026.3.24 if you heavily rely on scoped plugins until a patch is released. Check the openclaw/openclaw GitHub repository for the next stable build that addresses the path.join logic. If you must use this version, avoid using shorthand scoped names in your install commands where possible.

Last Updated: April 2026

Did this guide solve your problem?