GoHighLevel
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: highlevel Version: 1.0.7 The skill is well-engineered, using only Python's standard library and implementing strict input validation for IDs to prevent path traversal and URL injection in `scripts/ghl-api.py`. Network access is correctly restricted to the GoHighLevel API base URL. However, the skill is classified as 'suspicious' due to the inherent vulnerability surface for prompt injection against the AI agent. The `ghl-api.py` script allows the agent to pass arbitrary JSON content (e.g., for `create_contact`, `send_message`, `create_social_post`) directly to the GoHighLevel API. While the skill itself does not contain malicious code or attempt to exfiltrate data, a compromised AI agent could be prompted to construct and send harmful data (e.g., phishing messages, malicious URLs for attachments if the GHL API is vulnerable to SSRF) via these API calls, leveraging the skill's legitimate functionality for unintended purposes. The `SKILL.md` documentation itself does not contain malicious prompt injection attempts.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you grant broad or agency-level scopes, the assistant may be able to read or change a large amount of GoHighLevel account data.
The skill requires a bearer token whose scopes may allow access to CRM data and, if configured as an agency integration, multiple sub-accounts.
`HIGHLEVEL_TOKEN` (Primary — your Private Integration bearer token) ... `HIGHLEVEL_LOCATION_ID` ... Agency Integration: Access scope | Agency + all sub-accounts
Use a sub-account private integration where possible, grant only the minimum scopes needed, and rotate/revoke the token if it is no longer required.
A mistaken or overly broad instruction could delete or modify CRM records if the token has write scopes.
The helper script contains direct mutation/destructive API functions. This is expected for a CRM management skill, but these actions can have business impact.
def delete_contact(contact_id): ... return _delete(f"/contacts/{cid}")Require explicit user confirmation for delete, send-message, invoice/payment, workflow, and public-posting actions.
Large contact lists, emails, phone numbers, and related CRM details may be exposed to the assistant during use.
The skill can retrieve broad CRM contact data into command output/agent context. The artifacts do not show persistence, but the data itself may be sensitive.
def list_all_contacts():
"""Get ALL contacts with automatic pagination."""
return search_contacts(query="", limit=100, paginate=True)Use targeted searches when possible and avoid loading more customer data into the assistant than necessary.
Before granting a powerful CRM token, users may want extra assurance that the installed artifact is the intended release.
The package source is listed as unknown, and the provided artifacts also show different version values in SKILL.md/_meta/origin metadata.
Source: unknown ... Version: 1.0.7
Verify the publisher and installed version, and review the included scripts before adding production GoHighLevel credentials.