diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json
index 7f8543397..21b2874b2 100644
--- a/.openclaw-sync/source.json
+++ b/.openclaw-sync/source.json
@@ -1,5 +1,5 @@
 {
   "repository": "openclaw/openclaw",
-  "sha": "e4c127e678fca8c96f47e0f002072de7c1ffb08d",
-  "syncedAt": "2026-05-02T03:10:26.356Z"
+  "sha": "eee3aeae00fd4a99bf212cb7373534c36f37e396",
+  "syncedAt": "2026-05-02T03:13:47.146Z"
 }
diff --git a/docs/.generated/config-baseline.sha256 b/docs/.generated/config-baseline.sha256
index 322e0e3af..2e542edd2 100644
--- a/docs/.generated/config-baseline.sha256
+++ b/docs/.generated/config-baseline.sha256
@@ -1,4 +1,4 @@
-35224e7970e71225a51482432f1618ae3b54be9615956d8554a0e2df3d263bc8  config-baseline.json
-80e6e8dce647aef2d1310de55a81d27de52cca47fc24bd7ad81b80f43a72b84c  config-baseline.core.json
-eab8a85eefa2792fb8b98a07698e5ec31ff0b6f8af6222767e8049dcc5c4f529  config-baseline.channel.json
-af71b84b2411d8ccabcc6e09de0ee41f8212ff9869a6677698b6e7e3afdfaa47  config-baseline.plugin.json
+ae25cb1d397f1ea9642047ef13d35300c807cb1cd67f681c0b5af83b572b3638  config-baseline.json
+0a1907d595765b8bb7a41348d14323920ab50e402be49a19a45a4e2499306407  config-baseline.core.json
+c401cd3450f1737bc92418cfea301d20b54b7fbef9e6049834acc01af338e538  config-baseline.channel.json
+7731a0b93cb335b56fac4c807447ba659fea51ea7a6cd844dc0ef5616669ee75  config-baseline.plugin.json
diff --git a/docs/cli/crestodian.md b/docs/cli/crestodian.md
index ef3c9e58c..0202afac9 100644
--- a/docs/cli/crestodian.md
+++ b/docs/cli/crestodian.md
@@ -71,6 +71,10 @@ agents
 create agent work workspace ~/Projects/work
 models
 set default model openai/gpt-5.5
+plugins list
+plugins search slack
+plugin install clawhub:openclaw-codex-app-server
+plugin uninstall openclaw-codex-app-server
 talk to work agent
 talk to agent for ~/Projects/work
 audit
@@ -99,6 +103,8 @@ Read-only operations can run immediately:
 
 - show overview
 - list agents
+- list installed plugins
+- search ClawHub plugins
 - show model/backend status
 - run status or health checks
 - check Gateway reachability
@@ -116,6 +122,8 @@ you pass `--yes` for a direct command:
 - change the default model
 - start, stop, or restart the Gateway
 - create agents
+- install plugins from ClawHub or npm
+- uninstall plugins
 - run doctor repairs that rewrite config or state
 
 Applied writes are recorded in:
@@ -240,6 +248,9 @@ Security contract for remote rescue:
 - Require an explicit owner identity. Rescue must not accept wildcard sender
   rules, open group policy, unauthenticated webhooks, or anonymous channels.
 - Owner DMs only by default. Group/channel rescue requires explicit opt-in.
+- Plugin search and list are read-only. Plugin install is local-only by default
+  because it downloads executable code. Plugin uninstall can be allowed as an
+  approved repair operation when rescue policy permits persistent writes.
 - Remote rescue cannot open the local TUI or switch into an interactive agent
   session. Use local `openclaw` for agent handoff.
 - Persistent writes still require approval, even in rescue mode.
diff --git a/docs/cli/plugins.md b/docs/cli/plugins.md
index 3dc42428f..931733d7c 100644
--- a/docs/cli/plugins.md
+++ b/docs/cli/plugins.md
@@ -31,6 +31,9 @@ openclaw plugins list
 openclaw plugins list --enabled
 openclaw plugins list --verbose
 openclaw plugins list --json
+openclaw plugins search <query>
+openclaw plugins search <query> --limit 20
+openclaw plugins search <query> --json
 openclaw plugins install <path-or-spec>
 openclaw plugins inspect <id>
 openclaw plugins inspect <id> --runtime
@@ -64,6 +67,7 @@ Native OpenClaw plugins must ship `openclaw.plugin.json` with an inline JSON Sch
 ### Install
 
 ```bash
+openclaw plugins search "calendar"                   # search ClawHub plugins
 openclaw plugins install <package>                      # ClawHub first, then npm
 openclaw plugins install clawhub:<package>              # ClawHub only
 openclaw plugins install npm:<package>                  # npm only
@@ -82,6 +86,10 @@ openclaw plugins install <plugin> --marketplace https://github.com/<owner>/<repo
 Bare package names are checked against ClawHub first, then npm. Treat plugin installs like running code. Prefer pinned versions.
 </Warning>
 
+`plugins search` queries ClawHub for installable plugin packages and prints
+install-ready package names. It searches code-plugin and bundle-plugin packages,
+not skills. Use `openclaw skills search` for ClawHub skills.
+
 <Note>
 ClawHub is the primary distribution and discovery surface for most plugins. Npm
 remains a supported fallback and direct-install path. During the migration to
@@ -217,6 +225,9 @@ openclaw plugins list
 openclaw plugins list --enabled
 openclaw plugins list --verbose
 openclaw plugins list --json
+openclaw plugins search <query>
+openclaw plugins search <query> --limit 20
+openclaw plugins search <query> --json
 ```
 
 <ParamField path="--enabled" type="boolean">
@@ -233,6 +244,11 @@ openclaw plugins list --json
 `plugins list` reads the persisted local plugin registry first, with a manifest-only derived fallback when the registry is missing or invalid. It is useful for checking whether a plugin is installed, enabled, and visible to cold startup planning, but it is not a live runtime probe of an already-running Gateway process. After changing plugin code, enablement, hook policy, or `plugins.load.paths`, restart the Gateway that serves the channel before expecting new `register(api)` code or hooks to run. For remote/container deployments, verify you are restarting the actual `openclaw gateway run` child, not only a wrapper process.
 </Note>
 
+`plugins search` is a remote ClawHub catalog lookup. It does not inspect local
+state, mutate config, install packages, or load plugin runtime code. Search
+results include the ClawHub package name, family, channel, version, summary, and
+an install hint such as `openclaw plugins install clawhub:<package>`.
+
 For bundled plugin work inside a packaged Docker image, bind-mount the plugin
 source directory over the matching packaged source path, such as
 `/app/extensions/synology-chat`. OpenClaw will discover that mounted source
diff --git a/docs/tools/clawhub.md b/docs/tools/clawhub.md
index 6e5f1a68c..3ef358d7a 100644
--- a/docs/tools/clawhub.md
+++ b/docs/tools/clawhub.md
@@ -60,11 +60,14 @@ Site: [clawhub.ai](https://clawhub.ai)
   </Tab>
   <Tab title="Plugins">
     ```bash
+    openclaw plugins search "calendar"
     openclaw plugins install clawhub:<package>
     openclaw plugins update --all
     ```
 
-    Bare npm-safe plugin specs are also tried against ClawHub before npm:
+    `plugins search` queries the ClawHub plugin catalog and prints install-ready
+    package names. Bare npm-safe plugin specs are also tried against ClawHub
+    before npm:
 
     ```bash
     openclaw plugins install openclaw-codex-app-server
diff --git a/docs/tools/plugin.md b/docs/tools/plugin.md
index 2f04c927c..6335cb60b 100644
--- a/docs/tools/plugin.md
+++ b/docs/tools/plugin.md
@@ -27,6 +27,12 @@ temporary set of OpenClaw-owned plugin packages while that migration finishes.
 
   <Step title="Install a plugin">
     ```bash
+    # Search ClawHub plugins
+    openclaw plugins search "calendar"
+
+    # From ClawHub
+    openclaw plugins install clawhub:openclaw-codex-app-server
+
     # From npm
     openclaw plugins install npm:@acme/openclaw-plugin
 
@@ -433,6 +439,7 @@ openclaw plugins list                       # compact inventory
 openclaw plugins list --enabled            # only enabled plugins
 openclaw plugins list --verbose            # per-plugin detail lines
 openclaw plugins list --json               # machine-readable inventory
+openclaw plugins search <query>            # search ClawHub plugin catalog
 openclaw plugins inspect <id>              # static detail
 openclaw plugins inspect <id> --runtime    # registered hooks/tools/CLI/gateway methods
 openclaw plugins inspect <id> --json       # machine-readable