honcho-setup

The plugin and its setup intentionally upload local agent memory and workspace files to an external Honcho API (api.honcho.dev by default) after explicit user confirmation. This is documented behavior and not hidden, but it poses non-trivial privacy and supply-chain risks: centralized storage of sensitive personal data, persistent API keys on disk, and the need to execute third-party npm code locally. Operators should only use the setup when they trust the destination, inspect the exact file list shown at prompt, secure ~/.openclaw/openclaw.json (restrict file permissions), avoid running the setup non-interactively in environments where automated uploads may occur, and prefer self-hosting if organizational policy requires control over data. This is not strong evidence of malware, but it is a data-exfiltration feature requiring caution and proper threat-modeling.