Highlevel 1.0.7

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real GoHighLevel CRM helper, but it gives an assistant broad live CRM authority with weak confirmations and unsafe onboarding examples.

Review before installing. Use a sub-account token with the smallest scopes needed, start read-only where possible, avoid agency-level or financial/write scopes unless required, do not print or share the bearer token, run setup in a private terminal, and manually confirm any deletes, messages, appointments, invoices/payments, workflow changes, or social posts before allowing the assistant to execute them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill declares no explicit permissions even though its documented behavior requires both environment-variable access for bearer tokens and network access to the GoHighLevel API. This creates a transparency and governance gap: reviewers and users cannot accurately assess what the skill can access before installation or execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 86% confidence
Finding: The skill is presented as a CRM integration, but the file also embeds promotional links, branding, and affiliate/referral content unrelated to core functionality. This mismatch increases social-engineering risk because users may be nudged toward external sites or marketing funnels under the guise of setup or support.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The invocation guidance includes broad natural-language triggers like 'set up highlevel' or 'connect my GHL', which could match ordinary conversation and cause the setup wizard to run unexpectedly. In a skill with CRM access and credential-dependent operations, accidental activation can lead to unintended disclosure prompts or API actions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill advertises privacy- and data-impacting actions such as searching contacts, sending messages, booking appointments, and managing invoices without prominent warnings about handling customer data or performing external side effects. This can cause users to underestimate the sensitivity of the operations and authorize the skill too casually.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The setup instructions tell users to create and copy a private integration token but do not prominently warn against pasting secrets into chats, logs, or untrusted prompts. Because this token grants direct API access, unsafe handling could expose CRM data and permit unauthorized actions across the connected account.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The troubleshooting guide includes copy-pasteable commands that use a live bearer token from environment variables and a POST example that creates a real contact in the remote CRM. Even though this is documentation, it can cause unintended external actions and encourages handling sensitive credentials in shell commands without any warning about side effects, test data creation, or safe use in non-production environments.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This script exposes destructive delete operations directly from the CLI with no confirmation, dry-run mode, or secondary approval. In an agent-driven context, that increases the risk of accidental or prompt-induced data loss affecting contacts, notes, tasks, opportunities, businesses, and other CRM objects.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The wizard fetches and prints the first five contacts, including names, email addresses, phone numbers, and tags, as a default success step. This exposes potentially sensitive CRM data on screen without any explicit consent prompt, redaction, or privacy warning, which increases the risk of shoulder-surfing, terminal logging, screen recording, or disclosure in shared environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal