ClawHub

Hlp Ghl Api

PassAudited by ClawScan on May 10, 2026.

Overview

The skill is a straightforward GoHighLevel API helper, but it can change CRM records, trigger automations, and send SMS using your configured API key.

Install this only if you want the agent to help operate your GoHighLevel account. Protect the API key, use the narrowest permissions available, and ask the agent to confirm before making CRM changes, sending SMS, or triggering workflows.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI02: Tool Misuse and Exploitation
What this means

The agent could create or change contacts, deals, tags, notes, and messages in the connected GoHighLevel account when asked to use these commands.

Why it was flagged

The skill exposes direct API templates that can modify CRM data and send outbound SMS. This matches the stated purpose, but these are high-impact actions users should explicitly intend.

Skill content
## Create or Update Contact ... curl -s -X POST "https://services.leadconnectorhq.com/contacts/" ... ## Send SMS via Conversations API ... curl -s -X POST "https://services.leadconnectorhq.com/conversations/messages"
Recommendation

Use the skill with clear instructions, and require confirmation before sending SMS, changing deal stages, adding notes, or updating contacts.

Low
#ASI03: Identity and Privilege Abuse
What this means

Anyone or any agent session with access to the configured API key may act within whatever permissions that GoHighLevel key grants.

Why it was flagged

The skill requires a bearer API key for GoHighLevel. This is expected for the integration, and the artifact does not show credential leakage or unrelated use.

Skill content
requires:\n  env:\n    - GHL_API_KEY\n    - GHL_LOCATION_ID ... Auth header: `Authorization: Bearer $GHL_API_KEY`
Recommendation

Use the least-privileged, location-scoped API key available, keep it in protected environment variables, and rotate it if it is exposed.

Low
#ASI08: Cascading Failures
What this means

A mistaken workflow trigger could start automated actions for the wrong lead or at the wrong time.

Why it was flagged

Triggering a GoHighLevel workflow can cause downstream automations such as follow-ups or messaging. This is purpose-aligned but can amplify mistakes if the wrong contact or workflow ID is used.

Skill content
## Trigger Workflow for Contact\n\ncurl -s -X POST "https://services.leadconnectorhq.com/contacts/$CONTACT_ID/workflow/$WORKFLOW_ID"
Recommendation

Verify contact IDs, workflow IDs, and intended downstream effects before triggering workflows, preferably in a test workflow first.