GoHighLevel
PassAudited by ClawScan on May 1, 2026.
Overview
This is a transparent but broad GoHighLevel API helper that requires Maton-managed credentials and can change CRM, payment, and automation data, so users should verify the provider and approve write actions carefully.
Before installing, confirm that you trust Maton and this publisher, use the least-privileged GoHighLevel token needed, keep MATON_API_KEY private, specify the intended Maton connection, and only approve write actions after reviewing the exact account, resource, and effect.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved too broadly, actions could modify important GoHighLevel business records or automation settings.
The skill exposes broad CRM, payment, and automation operations, including account-changing actions, but it also instructs the agent to confirm create, update, and delete calls with the user.
Manage contacts, sales pipelines, calendars, conversations, invoices, products, businesses, and marketing automation. ... All write operations require explicit user approval.
Approve only specific, clearly described write actions, and confirm the target account, location, resource, and intended effect before proceeding.
Connecting high-privilege tokens can let the integration access or change sensitive GoHighLevel account and CRM resources.
The skill uses delegated GoHighLevel authority through private integration tokens, including agency-level and sub-account-level scopes.
You will typically need both connections — an agency token for location management and a sub-account token for CRM operations.
Use the least-privileged token needed for the task, separate agency and sub-account connections, and remove unused connections.
Users have less independent provenance information to verify before trusting the integration with credentials and business data.
The registry metadata does not provide a source repository or homepage, which is a provenance gap for a skill that routes API calls through an external provider.
Source: unknown; Homepage: none
Verify that the publisher and api.maton.ai service are expected and trusted before adding credentials.
GoHighLevel requests and credential-mediated access pass through Maton, so provider trust and correct connection selection matter.
The skill relies on an external gateway/provider flow where Maton handles the GoHighLevel Private Integration Token and forwards requests.
Maton proxies requests to `services.leadconnectorhq.com` and automatically injects your PIT token.
Use the `Maton-Connection` header for the intended account, verify the provider, and avoid sending unnecessary sensitive data.
A wrong approved action could propagate through automations, customer communications, payment records, or sales processes.
The covered resources include workflows, campaigns, payments, and CRM data, where one mistaken change could affect customers, automations, or business processes.
Sub-Account tokens access contacts, calendars, pipelines, conversations, payments, custom fields, tags, workflows, campaigns.
For impactful changes, test on a limited scope first and confirm affected locations, contacts, workflows, and payment-related resources.