Back to plugin

Security audit

GotoPlan Manager

Security checks across malware telemetry and agentic risk

Overview

The plugin is a coherent GotoPlan integration, but it needs review because it automatically bridges server-side messages into local OpenClaw agents and creates persistent agents through local shell commands.

Install only if you trust the GotoPlan backend and want it to act as a remote bridge into your local OpenClaw agents. Use a dedicated/least-privilege GotoPlan API key, enable Notion/Feishu/Yuque sync only when needed, and be aware that the plugin edits OpenClaw config, creates persistent local agents, and continuously polls the backend for work.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/src/utils/openclawCli.js:500
Evidence
child = execFile('openclaw', args, {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/ensure-dist.mjs:19
Evidence
execSync("npm run build", { cwd: root, stdio: "inherit", shell: true });

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/index.js:59
Evidence
hasAI_PLAN_API_KEY: [REDACTED],