Shell command execution detected (child_process).
- Code
- suspicious.dangerous_exec
- Location
- scripts/ensure-dist.mjs:19
- Evidence
execSync("npm run build", { cwd: root, stdio: "inherit", shell: true });
Security audit
Security checks across malware telemetry and agentic risk
The package matches its GotoPlan automation purpose, but it needs Review because it auto-enables persistent local configuration and runs broad background agent/message orchestration with weak consent and disclosure controls.
Install only if you are comfortable giving this plugin ongoing access to your GotoPlan data, local OpenClaw agents, GotoBot messages, and optional third-party sync targets. Review the installer before running it, avoid pasting API keys into chat, prefer HTTPS-only API settings, and confirm that background polling, agent cloning, and external report syncing are acceptable for your workspace.
65/65 vendors flagged this plugin as clean.
Detected: suspicious.dangerous_exec, suspicious.destructive_delete_command
execSync("npm run build", { cwd: root, stdio: "inherit", shell: true });child = execFile('openclaw', args, {rm -rf ~/.openclaw/plugins/gotoplan-manager