Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- dist/src/utils/openclawCli.js:500
- Evidence
child = execFile('openclaw', args, {
Security audit
Security checks across malware telemetry and agentic risk
The plugin is a coherent GotoPlan integration, but it needs review because it automatically bridges server-side messages into local OpenClaw agents and creates persistent agents through local shell commands.
Install only if you trust the GotoPlan backend and want it to act as a remote bridge into your local OpenClaw agents. Use a dedicated/least-privilege GotoPlan API key, enable Notion/Feishu/Yuque sync only when needed, and be aware that the plugin edits OpenClaw config, creates persistent local agents, and continuously polls the backend for work.
60/60 vendors flagged this plugin as clean.
Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal
child = execFile('openclaw', args, {execSync("npm run build", { cwd: root, stdio: "inherit", shell: true });hasAI_PLAN_API_KEY: [REDACTED],