ClawHub
Back to skill
v1.0.0

GoHighLevel

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 12:50 AM.

Analysis

This is a transparent but broad GoHighLevel API helper that requires Maton-managed credentials and can change CRM, payment, and automation data, so users should verify the provider and approve write actions carefully.

GuidanceBefore installing, confirm that you trust Maton and this publisher, use the least-privileged GoHighLevel token needed, keep MATON_API_KEY private, specify the intended Maton connection, and only approve write actions after reviewing the exact account, resource, and effect.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Manage contacts, sales pipelines, calendars, conversations, invoices, products, businesses, and marketing automation. ... All write operations require explicit user approval.

The skill exposes broad CRM, payment, and automation operations, including account-changing actions, but it also instructs the agent to confirm create, update, and delete calls with the user.

User impactIf approved too broadly, actions could modify important GoHighLevel business records or automation settings.
RecommendationApprove only specific, clearly described write actions, and confirm the target account, location, resource, and intended effect before proceeding.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The registry metadata does not provide a source repository or homepage, which is a provenance gap for a skill that routes API calls through an external provider.

User impactUsers have less independent provenance information to verify before trusting the integration with credentials and business data.
RecommendationVerify that the publisher and api.maton.ai service are expected and trusted before adding credentials.
Cascading Failures
SeverityMediumConfidenceHighStatusNote
SKILL.md
Sub-Account tokens access contacts, calendars, pipelines, conversations, payments, custom fields, tags, workflows, campaigns.

The covered resources include workflows, campaigns, payments, and CRM data, where one mistaken change could affect customers, automations, or business processes.

User impactA wrong approved action could propagate through automations, customer communications, payment records, or sales processes.
RecommendationFor impactful changes, test on a limited scope first and confirm affected locations, contacts, workflows, and payment-related resources.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
You will typically need both connections — an agency token for location management and a sub-account token for CRM operations.

The skill uses delegated GoHighLevel authority through private integration tokens, including agency-level and sub-account-level scopes.

User impactConnecting high-privilege tokens can let the integration access or change sensitive GoHighLevel account and CRM resources.
RecommendationUse the least-privileged token needed for the task, separate agency and sub-account connections, and remove unused connections.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
Maton proxies requests to `services.leadconnectorhq.com` and automatically injects your PIT token.

The skill relies on an external gateway/provider flow where Maton handles the GoHighLevel Private Integration Token and forwards requests.

User impactGoHighLevel requests and credential-mediated access pass through Maton, so provider trust and correct connection selection matter.
RecommendationUse the `Maton-Connection` header for the intended account, verify the provider, and avoid sending unnecessary sensitive data.