Is ajspig/honcho-setup safe?

https://github.com/openclaw/skills/tree/main/skills/ajspig/honcho-setup

58
CAUTION

The honcho-setup skill has a legitimate and clearly disclosed purpose — migrating AI agent memory files to Honcho's cloud service — and is unusually transparent about its data handling. However, its core operation constitutes near-total upload of user identity, memory, and agent configuration to a third-party service whose destination is controlled by an environment variable that could be manipulated, and it installs an unreviewed npm package as a side effect. The skill is not malicious as written, but the combination of massive data scope, third-party retention, environment-variable-controlled destination, and supply chain dependency from npm warrants careful review before deployment in any production environment.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 25/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (9)

CRITICAL Bulk upload of complete user identity and agent memory to external API -60

The skill's primary function is uploading the entirety of what the agent knows about the user (USER.md, MEMORY.md, IDENTITY.md, all of memory/, all of canvas/) and the agent's own operating configuration (SOUL.md, AGENTS.md, BOOTSTRAP.md, TOOLS.md, HEARTBEAT.md) to api.honcho.dev. This is near-total exfiltration of the agent-user relationship. The disclosure is unusually transparent and a confirmation gate exists, but the scope means a user who clicks through without fully understanding is handing over their complete AI assistant history and personal profile to a third party.

HIGH Upload destination fully controlled by HONCHO_BASE_URL environment variable -15

All uploaded workspace data is sent to the URL in HONCHO_BASE_URL (defaulting to api.honcho.dev). Any process or actor that can set this variable can silently redirect the complete data upload to an attacker-controlled server. The confirmation dialog does show the destination URL, but a sophisticated attacker who controls env-var injection could substitute a convincing URL. A malicious fork of this skill need only change the default value.

HIGH Instructs installation of unreviewed npm package and dependency chain -25

The skill instructs running 'openclaw plugins install @honcho-ai/openclaw-honcho' and potentially 'npm install' within the plugin directory. The npm package and its full transitive dependency tree are not part of this skill review. A compromised npm package (e.g. via a dependency confusion attack or a malicious publish) could perform data exfiltration or code execution without triggering any of the skill's own confirmation gates.

MEDIUM Reads ~/.openclaw/.env with only behavioral (not technical) scope restriction -10

The skill instructs the agent to read ~/.openclaw/.env and extract HONCHO_API_KEY. The instruction 'Do not read or access any other environment variables from the .env file' is a behavioral constraint on the executing agent, not a technical one. An agent reading this file has access to all secrets in it, not just HONCHO_API_KEY. Depending on how the agent implements the read, other credentials (database passwords, other API keys) in the same file could be exposed.

MEDIUM Instructs git clone from external repo and docker-compose execution -15

The self-hosted Honcho path instructs the agent to clone https://github.com/plastic-labs/honcho and run docker-compose up. This introduces additional external code execution from a GitHub repository and runs untrusted container images. While this path is optional and user-directed, it extends the trust surface significantly.

MEDIUM Multiple sensitive credential files accessed during monitoring window -25

Filesystem monitoring detected OPEN/ACCESS events for /home/oc-exec/.env, /home/oc-exec/.ssh/id_rsa, /home/oc-exec/.aws/credentials, /home/oc-exec/.npmrc, /home/oc-exec/.docker/config.json, and /home/oc-exec/.config/gcloud/application_default_credentials.json at 05:00:04 (pre-clone) and 05:00:26 (post-install). Access timing and process lineage (sudo→auditctl sequence at 05:00:04) are consistent with the Oathe audit framework's canary baseline/integrity checks rather than skill-originated reads. All files were unmodified. Documented here for completeness given the sensitivity of the files involved.

MEDIUM Uploaded data subject to third-party retention with no user control -30

Once workspace files are uploaded to api.honcho.dev, their retention, processing, and potential sharing are governed by Honcho's privacy policy, which the skill links to but does not summarize. The user has no mechanism to verify or enforce data deletion, and the skill makes no commitment on Honcho's behalf. For self-hosted deployments this risk is mitigated, but managed Honcho is the default path.

LOW Broad shell command execution instructions embedded in skill -15

The skill contains multiple bash code blocks instructing the agent to run openclaw CLI commands, npm, git, and docker. While each command is disclosed, the aggregate execution surface is wide. Depending on the agent's sandboxing, these commands could have unintended side effects (e.g., npm install pulling vulnerable packages, docker-compose starting persistent services).

INFO Transparency and confirmation measures present 0

The skill includes a prominent DATA UPLOAD WARNING at the top, a complete Security and Privacy Disclosure section, explicit listing of all files and their destinations in the confirmation prompt, and two separate confirmation gates (Step 3 for upload, Step 5 for archiving). This level of disclosure is above average for skills of this type and partially mitigates the exfiltration risk for informed users.