Hlp Ghl Api
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: hlp-ghl-api Version: 1.0.0 The skill bundle contains multiple shell injection vulnerabilities in SKILL.md due to the insecure construction of curl commands. Specifically, variables like $GHL_LOCATION_ID, $FIRST, and $EMAIL are concatenated into shell strings in a way that allows for arbitrary command execution if the inputs are not strictly sanitized (e.g., the use of "'$GHL_LOCATION_ID'" breaks out of single quotes). While the skill's logic is clearly aligned with its stated purpose of managing GoHighLevel CRM data via legitimate endpoints (services.leadconnectorhq.com), these vulnerabilities represent a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create or change contacts, deals, tags, notes, and messages in the connected GoHighLevel account when asked to use these commands.
The skill exposes direct API templates that can modify CRM data and send outbound SMS. This matches the stated purpose, but these are high-impact actions users should explicitly intend.
## Create or Update Contact ... curl -s -X POST "https://services.leadconnectorhq.com/contacts/" ... ## Send SMS via Conversations API ... curl -s -X POST "https://services.leadconnectorhq.com/conversations/messages"
Use the skill with clear instructions, and require confirmation before sending SMS, changing deal stages, adding notes, or updating contacts.
Anyone or any agent session with access to the configured API key may act within whatever permissions that GoHighLevel key grants.
The skill requires a bearer API key for GoHighLevel. This is expected for the integration, and the artifact does not show credential leakage or unrelated use.
requires:\n env:\n - GHL_API_KEY\n - GHL_LOCATION_ID ... Auth header: `Authorization: Bearer $GHL_API_KEY`
Use the least-privileged, location-scoped API key available, keep it in protected environment variables, and rotate it if it is exposed.
A mistaken workflow trigger could start automated actions for the wrong lead or at the wrong time.
Triggering a GoHighLevel workflow can cause downstream automations such as follow-ups or messaging. This is purpose-aligned but can amplify mistakes if the wrong contact or workflow ID is used.
## Trigger Workflow for Contact\n\ncurl -s -X POST "https://services.leadconnectorhq.com/contacts/$CONTACT_ID/workflow/$WORKFLOW_ID"
Verify contact IDs, workflow IDs, and intended downstream effects before triggering workflows, preferably in a test workflow first.