Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GHL CRM for Realtors
v1.0.0Manage realtor tasks in GoHighLevel CRM including contact search and updates, pipeline tracking, messaging, calendar slots, and workflow enrollment via API v2.
⭐ 2· 682·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md are coherent with the stated purpose: both scripts interact only with GoHighLevel (services.leadconnectorhq.com) and implement contact, conversation, calendar, and opportunity endpoints. However, the registry metadata lists no required environment variables while the SKILL.md and both scripts clearly require HIGHLEVEL_TOKEN and HIGHLEVEL_LOCATION_ID. That metadata omission is an inconsistency that should be corrected.
Instruction Scope
Runtime instructions and scripts are narrowly scoped to the GHL API and related references; they do not attempt to read unrelated filesystem paths or contact unknown endpoints. Minor scope issues: references/troubleshooting.md shows example commands that echo $HIGHLEVEL_TOKEN (which would print the raw token), while SKILL.md's Safety Rules say 'Never print or echo raw tokens' — this contradiction could lead to accidental token exposure during debugging or by less-knowledgeable users.
Install Mechanism
No install spec; this is an instruction-only skill with included Python scripts using only standard library modules (urllib, json, re, etc.). There are no external downloads, package installers, or executable creation steps — low installation risk.
Credentials
The skill legitimately needs a Private Integration token (HIGHLEVEL_TOKEN) and a location ID (HIGHLEVEL_LOCATION_ID) to operate. These are sensitive credentials and are appropriately the only secrets required. However, the registry metadata failing to declare these env vars is a red flag for transparency. Also, the troubleshooting docs include examples that would print the token, increasing accidental exposure risk if users follow them without caution.
Persistence & Privilege
The skill does not request always:true or any elevated persistent platform privileges. It does not modify other skills or system-wide agent settings. It is user-invocable and allows autonomous invocation (platform default), which is expected for this kind of skill.
What to consider before installing
This skill looks like a plausible GHL integration, but take these precautions before installing:
- Verify provenance: the source/homepage is unknown; confirm you trust the owner before supplying credentials.
- Provide a dedicated Private Integration token with the minimum scopes needed (contacts.readonly, conversations.readonly/write, calendars, etc.) rather than a high-privilege account token. Rotate or revoke the token after testing.
- Do not paste your token into chat or public logs. Although the setup script masks the token display, the troubleshooting docs include examples that echo $HIGHLEVEL_TOKEN — avoid running those echo commands publicly.
- Because the registry metadata omits required env vars, ask the publisher to correct the manifest to declare HIGHLEVEL_TOKEN and HIGHLEVEL_LOCATION_ID so you can review permissions up front.
- Test in a safe environment (a throwaway sub-account or token with limited scopes) before using this against production data.
If you cannot verify the publisher or are uncomfortable supplying a token, do not install or run the scripts.Like a lobster shell, security has layers — review code before you run it.
crmvk973e5ecrbsqq33ykhe6qp8tz981bvvgghlvk973e5ecrbsqq33ykhe6qp8tz981bvvglatestvk973e5ecrbsqq33ykhe6qp8tz981bvvgrealtorvk973e5ecrbsqq33ykhe6qp8tz981bvvg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.