ClawHub

Highlevel 1.0.7

v1.0.0

Connect your AI assistant to GoHighLevel CRM via the official API v2. Manage contacts, conversations, calendars, pipelines, invoices, payments, workflows, an...

0· 95·0 current·0 all-time
by@mbright4497·fork of @10xcoldleads/highlevel (1.0.5)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name/description (GoHighLevel CRM v2) matches the actual requirements and behavior: it requires HIGHLEVEL_TOKEN and HIGHLEVEL_LOCATION_ID and the scripts call only the GoHighLevel base URL. Minor inconsistencies exist in metadata (SKILL.md lists version 1.2.0 while _meta.json/registry show other versions and ownerId values), which could be a maintenance/versioning oversight but do not affect capability coherence.
Instruction Scope
SKILL.md and the included scripts limit actions to guiding setup, validating environment variables, and making API calls to https://services.leadconnectorhq.com. The setup wizard prompts for token/location and uses urllib; ghl-api.py validates IDs with a strict regex and uses only predefined endpoint paths/pagination. There are no instructions to read unrelated files, run shell commands beyond invoking the Python scripts, or transmit data to unexpected endpoints.
Install Mechanism
No install spec and the package is 'instruction-only' with two included Python scripts that use only Python stdlib (urllib). Nothing is downloaded from arbitrary URLs and no archives are extracted—this is low-risk for installation.
Credentials
The skill requires only HIGHLEVEL_TOKEN and HIGHLEVEL_LOCATION_ID, which are the expected credentials for a GoHighLevel Private Integration. That scope is proportional. The README also advises least-privilege scopes. Reminder: tokens are sensitive and grant API access—only provide sub-account tokens with minimal scopes when possible.
Persistence & Privilege
The skill does not request always:true, does not claim persistent system-wide changes, and does not modify other skills' configurations. It runs as CLI Python scripts and uses environment variables; no automatic background persistence is evident.
Assessment
This skill appears to do exactly what it says: it asks for your GoHighLevel Private Integration token and a Location ID and then uses those to call the official API. Before installing, consider: 1) Provide a sub-account Private Integration token with the minimum scopes needed (avoid Agency-level tokens unless necessary). 2) Test first with a non-production or throwaway sub-account to confirm behavior. 3) Review the included scripts (ghl-api.py and setup-wizard.py) yourself if you want extra assurance—the code is small and stdlib-only. 4) Note the minor metadata/version mismatches (ownerId/version) and confirm you trust the publisher (homepage/contact info in the wizard). 5) If a token is ever exposed or you change the integration scope, rotate the token in GoHighLevel immediately.

Like a lobster shell, security has layers — review code before you run it.

latestvk977vddzfvnxrj5753qms4npqs839ynx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
EnvHIGHLEVEL_TOKEN, HIGHLEVEL_LOCATION_ID

Comments