Pluginv1.4.0

ClawScan security

Clawhub Github Publish 8Gd9hr · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 7:43 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin is generally consistent with a memory/migration tool for Honcho, but there are multiple inconsistencies and a few behaviors (postinstall migration, config writes, workspace uploads, template sync/archiving) that the user should understand before installing.
Guidance: What you should consider before installing: - This skill is a memory/migration plugin: it will scan many workspace files (USER.md, MEMORY.md, memory/, canvas/, SOUL.md, AGENTS.md, BOOTSTRAP.md, TOOLS.md) and — with your explicit confirmation — upload them to the Honcho service (api.honcho.dev by default) or to a self-hosted HONCHO_BASE_URL. That upload is one-time for migration but the plugin also continues to observe and send conversation data to Honcho while enabled. - API key and config: If you provide HONCHO_API_KEY (or enter it during setup), the plugin will save it in ~/.openclaw/openclaw.json. If you don't want automatic uploads during package installation, ensure HONCHO_API_KEY is not set in your environment when installing. - postinstall behavior: The package includes an install/postinstall script (install.js) that can perform migration-like actions during npm/pnpm install if an API key is present. Before running installs that fetch this package, inspect install.js to confirm behavior. During normal guided 'openclaw honcho setup' the CLI promises an explicit confirmation prompt before uploading — rely on that prompt. - Privacy & backups: Back up your workspace before migrating. Review which files will be uploaded and consider using a self-hosted Honcho instance (set HONCHO_BASE_URL) if you need to keep data on your own infrastructure. - Metadata inconsistencies: The top-level registry metadata in this submission omits required binaries/envs and even shows a mismatched skill name. Do not rely solely on the registry summary; read the included SKILL.md and inspect install.js and the plugin code if you have sensitive data. - If you want to proceed: (1) Inspect install.js and the plugin code; (2) ensure HONCHO_API_KEY is unset during package installation if you don't want any automated migration; (3) run 'openclaw plugins install @honcho-ai/openclaw-honcho' and 'openclaw honcho setup' interactively and verify the exact file list before consenting to upload; (4) disable the plugin if you want to stop observation ('openclaw plugins disable openclaw-honcho'). If you want, I can point out the exact lines in install.js / CLI that perform uploads or show how the config is written so you can review them before installing.
Findings: [unicode-control-chars] unexpected: The pre-scan flagged unicode/control characters in the SKILL.md. There's no legitimate reason for hidden control characters in user-facing documentation; this could be an accidental artifact or an attempt at prompt-injection/obfuscation. Treat the SKILL.md with extra scrutiny (view raw text) before trusting it.

Review Dimensions

Purpose & Capability: concernThe package and SKILL.md describe a Honcho memory integration (uploading workspace memory files and running an OpenClaw plugin). However the registry metadata at the top of the submission claims no required binaries/env/config paths while the honcho-setup SKILL.md and other files explicitly declare use of node/npm, HONCHO_API_KEY, writing ~/.openclaw/openclaw.json, and network access to api.honcho.dev. The top-level skill name at the very top ('Clawhub Github Publish 8Gd9hr') also does not match the Honcho description/slug, which is an inconsistency. These mismatches suggest the registry metadata presented to the evaluator is incomplete or stale.
Instruction Scope: concernThe instructions explicitly tell the agent/user to run 'openclaw plugins install', 'openclaw honcho setup', and 'openclaw gateway restart'. 'openclaw honcho setup' will scan local workspace files (USER.md, MEMORY.md, memory/, canvas/, SOUL.md, AGENTS.md, BOOTSTRAP.md, TOOLS.md), display the exact list, ask for explicit confirmation, and then upload them to the configured Honcho endpoint. The SKILL.md is transparent about the uploads and ongoing observation behavior, but the runtime behavior includes reading many user files, writing plugin config to ~/.openclaw/openclaw.json, and persistent network activity after setup — all high-privacy actions that go beyond light-weight plugin usage. The docs claim uploads require explicit confirmation, but there is a postinstall/install.js script (and publishing-related scripts) that could run during package installation if an API key/env is present; that behavior must be considered part of the instruction surface.
Install Mechanism: noteNo remote ad-hoc downloads or obscure shorteners are present in the manifest; the repo is set up for normal npm/pnpm publishing and includes a postinstall/install.js and typical CI that publishes to npm. The install script (postinstall) is documented and can attempt migration when HONCHO_API_KEY is set; for development the docs note how to avoid the automatic migration. This is a legitimate install mechanism but the presence of an install/postinstall migration script means package installation could perform filesystem and network actions as part of dependency installation — users should be aware and audit install.js before running package installs in sensitive environments.
Credentials: noteThe functionality requires an API key for managed Honcho (HONCHO_API_KEY) and will store it in ~/.openclaw/openclaw.json when provided. It also requires Node/npm to run the CLI/setup. These requests are proportionate to a memory migration/plugin that needs to authenticate to an external memory service. However the registry summary at the top omitted these requirements, so the declared requirements in the honcho-setup SKILL.md (node, npm, HONCHO_API_KEY optional/used) are the accurate ones. The plugin reads many workspace files (by design) and will transmit them to the configured endpoint — that is expected for migration but is high-impact from a privacy perspective.
Persistence & Privilege: concernThe plugin is not force-installed (always:false) and is user-invocable, but once enabled it persistently observes conversations and sends data to the Honcho endpoint across sessions. The setup writes persistent configuration to ~/.openclaw/openclaw.json. The codebase and docs also mention template syncing and an install script that may archive workspace files or sync templates into the workspace; this modifies the user's workspace (copying/syncing templates, archiving legacy files) which contradicts some 'no files modified' statements in other places. Persistent observation plus potential workspace modifications merit extra caution.