ClawHub
Back to skill
v1.0.1

Hylo — GHL Automation Expert

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:48 AM.

Analysis

This is a coherent GHL knowledge/API helper that requires a Hylo API key and sends GHL-related queries to Hylo, with no code or direct GHL account mutation shown.

GuidanceThis skill appears safe for GHL reference and workflow planning. Before installing, be comfortable using a Hylo API key and sending GHL-related questions or workflow details to Hylo; avoid placing customer PII, secrets, or sensitive account data in prompts unless necessary.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
- ALWAYS call the API -- don't guess about GHL.

The skill directs the agent to use the Hylo API for GHL-related questions. This is aligned with the skill's purpose, but it makes external API use the default behavior for those requests.

User impactGHL-related prompts may trigger external API calls instead of being answered only from the local model context.
RecommendationUse the skill for GHL-specific help, and avoid including unnecessary secrets, customer records, or sensitive business data in prompts.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
requires": {"env": ["HYLO_API_KEY"]}, "primaryEnv": "HYLO_API_KEY"

The skill requires a Hylo API key for authentication. This is expected for the Hylo knowledge API and is disclosed in the metadata.

User impactAnyone with the key may be able to use the associated Hylo subscription or quota.
RecommendationStore the API key in the environment rather than in chat, rotate it if exposed, and use the least-privileged or revocable key option if Hylo provides one.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
reference/endpoints.md
curl -X POST https://api.hylo.pro/v1/templates/workflow ... -d '{ "objective": "Send 3 follow-up emails after a contact fills out a form" ... }'

Workflow objectives and validation details are sent to the external Hylo API. This is disclosed and purpose-aligned, but it is still a third-party data flow.

User impactBusiness workflow objectives, trigger names, and action configurations may be shared with Hylo when planning or validating workflows.
RecommendationReview Hylo's privacy and retention practices if prompts may include confidential workflow logic, customer data, or regulated information.