Honcho Memory Multiplexer
WarnAudited by ClawScan on May 10, 2026.
Overview
This memory plugin mostly does what it says, but it deserves Review because it can automatically save chat history to Honcho cloud and reuse stored memory in future prompts.
Install only if you are comfortable with Honcho storing memory and chat content, or configure a trusted self-hosted Honcho endpoint. Before migration, review the file preview and workspace instruction diffs, avoid using it with highly sensitive conversations unless redaction/retention controls are clear, and confirm you can delete or disable stored memory later.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private chats, secrets pasted into prompts, and assistant outputs may be stored outside the local workspace unless the user deliberately configures otherwise.
The extension defaults to Honcho's hosted API and automatically sends extracted user/assistant conversation messages to a Honcho session after successful runs.
baseUrl: (pluginConfig.baseUrl as string) || "https://api.honcho.dev" ... api.on("agent_end" ... await session.addMessages(newMessages);Require explicit opt-in for cloud persistence, clearly document retention and deletion behavior, add redaction/exclusion controls, and use a self-hosted `HONCHO_BASE_URL` if cloud storage is not intended.
Stale, incorrect, or adversarially planted memory could affect future answers or decisions, and private facts may reappear in later sessions.
Honcho-derived persistent memory is inserted into the system prompt, giving stored or summarized memory high influence over later agent runs.
return { systemPrompt: `## User Memory Context\n\n${sections.join("\n\n")}\n\nUse this context naturally when relevant.`, };Treat recalled memory as untrusted context, label sources clearly, provide user review/reset controls, and avoid elevating raw memory into high-priority instructions without validation.
A setup mistake or unwanted policy change could persist and influence later agent behavior across the workspace.
The skill intentionally modifies persistent workspace instruction files that can affect future agents and sessions.
Update/create memory instructions in: `AGENTS.md`, `SOUL.md`, `BOOTSTRAP.md`, `AGENT.md` ... Preserve custom content; only replace memory-specific sections.
Review diffs before accepting documentation changes and keep backups or version control so instruction edits can be reverted.
Installing the wrong or compromised package would give code access to memory-related agent hooks and data flows.
The skill instructs users to install external plugins and optionally clone/run a repository, which is normal for setup but depends on external package provenance.
openclaw plugins install @honcho-ai/openclaw-honcho ... openclaw plugins install @alloralabs/honcho-memory-mux ... git clone https://github.com/plastic-labs/honcho
Verify package names, publisher identity, versions, and repository URLs before installing; prefer pinned versions where practical.
The key may grant access to the user's Honcho workspace and stored memory.
The plugin can use a Honcho API key, and the UI marks it sensitive; this is expected for the integration.
"apiKey": { "type": "string", "description": "Honcho API key (or set HONCHO_API_KEY env var)" } ... "sensitive": trueUse a least-privilege key if available, store it only in approved secret/config mechanisms, and rotate it if exposed.