Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Long-Term Memory (Honcho)
v1.0.4Install the @honcho-ai/openclaw-honcho plugin and run initial setup. Runs `openclaw plugins install`, `openclaw honcho setup` (which prompts for your API key...
⭐ 0· 1.2k·2 current·2 all-time
by@ajspig
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (Long-Term Memory / Honcho) align with the instructions: installing an OpenClaw Honcho plugin, running its setup, and migrating/uploading workspace memory files to the Honcho API. Optional env vars (HONCHO_API_KEY, HONCHO_BASE_URL) and writing config to ~/.openclaw/openclaw.json are consistent with integrating a remote memory service. Minor metadata mismatch: registry 'Requirements' reported none, while SKILL.md metadata lists node and npm as required binaries.
Instruction Scope
SKILL.md explicitly instructs three commands (plugin install, plugin setup, gateway restart) and clearly documents which files will be uploaded (USER.md, MEMORY.md, memory/, canvas/, SOUL.md, IDENTITY.md, AGENTS.md, BOOTSTRAP.md, TOOLS.md) and that HEARTBEAT.md is excluded. The upload and persistent observation behavior is called out and requires explicit interactive user confirmation before upload. This scope is broader (it transmits many personal/workspace files) but is consistent with the stated purpose.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code — the skill tells the user to run the OpenClaw plugin installer, which is the platform's normal mechanism. No direct downloads or archive extraction are performed by the skill itself. The fallback 'npm install' guidance (in case the plugin installer does not install dependencies) is reasonable. No high-risk install URLs or extract operations are present in the skill text.
Credentials
The skill does not demand unrelated credentials; it optionally uses HONCHO_API_KEY for managed Honcho and HONCHO_BASE_URL for self-hosting. It will prompt for an API key and write it to ~/.openclaw/openclaw.json — this is proportional to connecting to a remote memory service but is sensitive. Users should understand that providing an API key or using managed Honcho enables uploads of workspace files to an external endpoint.
Persistence & Privilege
always:false (default) and autonomous invocation is allowed (platform default). The plugin, once enabled, will persistently observe conversations and send data across sessions — this persistent network behavior is consistent with a memory plugin but increases privacy risk. The skill does not request system-wide privileges or attempt to modify other skills' configs beyond writing its own plugin config.
Assessment
This skill does what it says: it installs an Honcho plugin and offers to upload many workspace/memory files to a remote Honcho API (api.honcho.dev by default). Before installing, confirm you trust Honcho (managed service) or set HONCHO_BASE_URL to a self-hosted instance you control. Pay attention to the interactive prompts — the setup requires explicit confirmation before any upload. Be aware the plugin will write your API key to ~/.openclaw/openclaw.json and will continue to observe and transmit conversation data across sessions until you disable it (openclaw plugins disable openclaw-honcho). Also note minor metadata inconsistencies in the skill package (required binaries listed in SKILL.md but not in the registry summary, and a version mismatch in _meta.json); inspect the installed plugin code under ~/.openclaw/extensions/openclaw-honcho if you want to verify behavior before enabling.Like a lobster shell, security has layers — review code before you run it.
latestvk97fqd9ff4fgpgm4z9n5vznfcn82v05v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis