ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GoHighLevel

v1.0.7

Connect your AI assistant to GoHighLevel CRM via the official API v2. Manage contacts, conversations, calendars, pipelines, invoices, payments, workflows, an...

4· 1.8k·5 current·6 all-time
by@10xcoldleads
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (GoHighLevel CRM via API v2) match the included scripts and reference docs. The two required env vars (HIGHLEVEL_TOKEN, HIGHLEVEL_LOCATION_ID) are exactly what an API client for this service needs. The code targets services.leadconnectorhq.com and implements endpoints documented in the references.
Instruction Scope
SKILL.md and the included setup and API helper scripts only read the declared environment variables and make HTTPS calls to the stated Base URL. The setup wizard is interactive and does not attempt to read unrelated files or send data to third-party endpoints outside the documented GHL API. The skill explicitly validates IDs and uses urllib (no shell commands).
Install Mechanism
No install spec or external downloads are present. The skill is instruction-only with bundled Python stdlib scripts — nothing is written to disk by an installer and no external packages are pulled.
Credentials
The two requested environment variables (HIGHLEVEL_TOKEN and HIGHLEVEL_LOCATION_ID) are appropriate for the stated purpose. Minor metadata inconsistency: registry metadata lists no primary credential while SKILL.md calls HIGHLEVEL_TOKEN the Primary token. Otherwise there are no unrelated secrets requested. Be aware that the provided token's scopes determine the privilege level (some endpoints can delete locations or manage billing when given agency-level scopes).
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide settings. The setup wizard sets env vars in-process only (does not persist configuration to files) and helper scripts print output to stdout; there is no installer creating persistent agents or background services.
Assessment
This skill appears coherent and implements a standard GoHighLevel API client. Before installing or running it: 1) Only provide a Private Integration token created for a sub-account and grant the minimum scopes required; avoid agency-level scopes unless you need them. 2) Do not paste your token into public chat or third-party sites. 3) Review the included scripts locally (they are stdlib-only) before running them to confirm they behave as expected. 4) If you are concerned about blast radius, create a test sub-account and a token with read-only scopes to validate functionality first. 5) Note the small metadata mismatch (SKILL.md marks HIGHLEVEL_TOKEN as primary while registry metadata shows none) — this is likely bookkeeping, not functionally harmful, but you may want the publisher to correct it.

Like a lobster shell, security has layers — review code before you run it.

crmvk970kqymg00fzyqb95ayrjcf3n80vs47highlevelvk970kqymg00fzyqb95ayrjcf3n80vs47latestvk971g5ad4xbqfza4qqkjf9hmm9816ghfleadconnectorvk970kqymg00fzyqb95ayrjcf3n80vs47

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
EnvHIGHLEVEL_TOKEN, HIGHLEVEL_LOCATION_ID

Comments