ClawHub

Long-Term Memory (Honcho)

Security checks across malware telemetry and agentic risk

Overview

This skill transparently installs Honcho long-term memory and discloses that it can upload listed memory files and future workspace conversations to Honcho or a configured endpoint.

Install only in workspaces where sending the listed memory/configuration files and future conversation data to Honcho or your configured endpoint is acceptable. Review the file list before confirming migration, protect or rotate the Honcho API key stored in OpenClaw config, and disable the plugin when persistent memory is no longer wanted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context Leakage

High
Category
Data Exfiltration
Content
Honcho memory is now active.

> **Ongoing behavior after setup**: Once enabled, the plugin will persistently observe conversations in this workspace and send conversation data to `api.honcho.dev` (or your configured `HONCHO_BASE_URL`) to build and retrieve memory. This is ongoing network activity that continues across sessions. Memory is made available via `honcho_recall`, `honcho_search`, `honcho_profile`, and related tools. To stop this behavior, disable the plugin with `openclaw plugins disable openclaw-honcho`.

---
Confidence
98% confidence
Finding
send conversation

Session Persistence

Medium
Category
Rogue Agent
Content
This command will:
1. Prompt interactively for your Honcho API key
2. Write configuration to `~/.openclaw/openclaw.json`
3. Scan for legacy memory files and offer to migrate them to Honcho

Follow the prompts. Migration is optional — if you have no legacy files or want to skip, you can skip the upload step.
Confidence
90% confidence
Finding
Write configuration to `~/.openclaw/openclaw.json` 3. Scan for legacy memory files and offer to migrate them to Honcho Follow the prompts. Migration is optional — if you have no legacy files or want

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal