Back to plugin

Security audit

GotoPlan Manager

Security checks across malware telemetry and agentic risk

Overview

The package matches its GotoPlan automation purpose, but it needs Review because it auto-enables persistent local configuration and runs broad background agent/message orchestration with weak consent and disclosure controls.

Install only if you are comfortable giving this plugin ongoing access to your GotoPlan data, local OpenClaw agents, GotoBot messages, and optional third-party sync targets. Review the installer before running it, avoid pasting API keys into chat, prefer HTTPS-only API settings, and confirm that background polling, agent cloning, and external report syncing are acceptable for your workspace.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.destructive_delete_command

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/ensure-dist.mjs:19
Evidence
execSync("npm run build", { cwd: root, stdio: "inherit", shell: true });

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/utils/openclawCli.ts:583
Evidence
child = execFile('openclaw', args, {

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
macOS安装指南.md:164
Evidence
rm -rf ~/.openclaw/plugins/gotoplan-manager