GoHighLevel
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent GoHighLevel CRM integration, but it can access and change sensitive CRM, messaging, financial, and social-posting data depending on the token scopes you grant.
This skill appears purpose-aligned and not malicious from the provided artifacts. Before installing, create a least-privilege GoHighLevel Private Integration, prefer sub-account scope over agency scope, and require confirmation for deleting records, sending messages, changing invoices/payments, launching workflows, or publishing social posts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you grant broad or agency-level scopes, the assistant may be able to read or change a large amount of GoHighLevel account data.
The skill requires a bearer token whose scopes may allow access to CRM data and, if configured as an agency integration, multiple sub-accounts.
`HIGHLEVEL_TOKEN` (Primary — your Private Integration bearer token) ... `HIGHLEVEL_LOCATION_ID` ... Agency Integration: Access scope | Agency + all sub-accounts
Use a sub-account private integration where possible, grant only the minimum scopes needed, and rotate/revoke the token if it is no longer required.
A mistaken or overly broad instruction could delete or modify CRM records if the token has write scopes.
The helper script contains direct mutation/destructive API functions. This is expected for a CRM management skill, but these actions can have business impact.
def delete_contact(contact_id): ... return _delete(f"/contacts/{cid}")Require explicit user confirmation for delete, send-message, invoice/payment, workflow, and public-posting actions.
Large contact lists, emails, phone numbers, and related CRM details may be exposed to the assistant during use.
The skill can retrieve broad CRM contact data into command output/agent context. The artifacts do not show persistence, but the data itself may be sensitive.
def list_all_contacts():
"""Get ALL contacts with automatic pagination."""
return search_contacts(query="", limit=100, paginate=True)Use targeted searches when possible and avoid loading more customer data into the assistant than necessary.
Before granting a powerful CRM token, users may want extra assurance that the installed artifact is the intended release.
The package source is listed as unknown, and the provided artifacts also show different version values in SKILL.md/_meta/origin metadata.
Source: unknown ... Version: 1.0.7
Verify the publisher and installed version, and review the included scripts before adding production GoHighLevel credentials.