Security audit

Hlp Ghl Api

Security checks across malware telemetry and agentic risk

Overview

This is a transparent GoHighLevel CRM helper that can change records and send SMS, so it should be installed only when that account access is intended.

Install this only if you want an agent to operate your GoHighLevel account. Use a least-privilege API key, protect the environment variables, verify contact/workflow IDs before running commands, and require explicit human confirmation and proper consent before changing CRM records, triggering workflows, or sending SMS.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill enables CRM mutations and SMS sending involving personal data, but provides no warning, confirmation step, or guidance about consent, privacy, or irreversible record changes. In a real-estate lead generation context handling contacts, phone numbers, notes, and workflow triggers, this increases the risk of unauthorized outreach, privacy violations, and unintended data modification.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.