Honcho Memory Multiplexer

Security checks across malware telemetry and agentic risk

Overview

This memory skill is mostly coherent, but it automatically sends conversations to Honcho and has a session-history tool whose access does not match its stated scope.

Install only if you want OpenClaw conversations and selected memory files stored in Honcho, potentially at the hosted Honcho API by default. Review the configured base URL and API key, inspect all edits to agent instruction files, and avoid sensitive use until session scoping, opt-out, deletion, and retention controls are clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Memory PoisoningPersistent Context Injection, Context Window Stuffing, Memory Manipulation
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill explicitly relies on sensitive environment variables such as HONCHO_API_KEY, HONCHO_BASE_URL, HONCHO_WORKSPACE_ID, and WORKSPACE_ROOT, but the only declared metadata is under openclaw-specific fields rather than an explicit permissions model. That creates a transparency and review gap: operators may not realize the skill can read configuration and secrets that influence network destinations and data migration behavior.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented behavior materially understates the effective trust and data-flow impact of the installed plugins: the finding indicates runtime prompt injection of Honcho-derived context, automatic upload of conversation messages on agent_end, external API connectivity, and additional retrieval/Q&A tooling beyond simple setup. This is dangerous because users may consent to a one-time installation/migration workflow without understanding that ongoing sessions could continuously exfiltrate conversation data and alter agent behavior through injected remote memory context.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill manifest describes setup and migration behavior, but the implementation exposes a broad set of operational memory tools and a CLI for querying, searching, recalling, and analyzing user memory. This expands the skill’s effective privilege and data-access surface beyond user expectations, increasing the risk of unintended data access or misuse by agents or operators.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The honcho_session tool claims it is limited to the current session, but the implementation calls honcho.session(params.sessionKey ?? "default") even though sessionKey is not declared in the schema. An agent or crafted caller that can pass undeclared parameters may retrieve arbitrary session history, defeating the documented access boundary and exposing unrelated conversations.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The honcho_session tool advertises that it only retrieves history from the current session, but the implementation uses params.sessionKey when constructing the Honcho session. This creates an access-control and trust-boundary issue: an agent or caller can request arbitrary session IDs and retrieve other sessions' summaries/messages, potentially exposing unrelated conversation history and sensitive data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The agent_end hook automatically sends conversation messages to the Honcho cloud via session.addMessages without any visible consent, notice, or runtime confirmation in this code. Because the plugin processes full conversation content, this can silently export sensitive user data to a third-party service, creating privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The honcho_context tool retrieves broad cross-session memory for the user across all sessions, but the implementation provides no user-facing warning, consent check, or scoping controls. This increases the chance that sensitive historical data is surfaced unexpectedly to the agent or end user, contrary to least-privilege expectations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The agent_end hook persists conversation messages to Honcho cloud automatically, while the plugin also injects retrieved memory context into future prompts. In a memory plugin, silent exfiltration of conversation content to a third-party service is privacy-relevant and can expose sensitive user data, especially because the skill description emphasizes installation and memory migration rather than prominently disclosing ongoing cloud syncing.

Memory Manipulation

High

Category: Memory Poisoning
Content: - `BOOTSTRAP.md` - `AGENT.md` (if this workspace uses it) Preserve custom content; only replace memory-specific sections. ### Required policy text to add
Confidence: 82% confidence
Finding: replace memory

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal