ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hlp Ghl Api

HubLinkPro GoHighLevel API — manage contacts, pipelines, workflows, and messaging for Tri-Cities real estate lead gen

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 14 · 0 current installs · 0 all-time installs
by@mbright4497
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (manage contacts, pipelines, workflows, messaging) match the actual instructions: all runtime commands are curl calls to services.leadconnectorhq.com and require an API key and location ID. Requested binaries (curl, jq) are appropriate. No unrelated credentials or binaries are requested.
Instruction Scope
The SKILL.md contains explicit curl examples for searching/creating contacts, managing opportunities, sending SMS, triggering workflows, and adding notes—these are within the declared purpose. However, it will transmit contact data (names, emails, phone numbers, notes, messages) to an external service (LeadConnectorHQ) which may include PII. The instructions also reference many placeholder variables (e.g., $EMAIL, $FIRST, $CONTACT_ID, $MESSAGE, $WORKFLOW_ID) that are not listed in requires.env (these are runtime input placeholders rather than required env vars). The skill does not instruct reading local files or unrelated environment variables.
Install Mechanism
This is instruction-only with no install spec and no code files. That reduces surface risk because nothing is written to disk by an installer.
Credentials
Only GHL_API_KEY and GHL_LOCATION_ID are declared as required env vars, which is proportionate for an API integration. Minor inconsistency: registry metadata lists no primary credential even though GHL_API_KEY is clearly the key credential used. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false, no install, no config paths, and no requests to modify other skills or system settings. The skill can be invoked autonomously (platform default), which is normal, but that means it could send data to the external API without further prompts if the agent is permitted to use it.
What to consider before installing
This skill appears to do what it says (calls the LeadConnector/GoHighLevel API using curl), but you should be cautious because the package has no homepage or visible source and the owner metadata is opaque. Before installing: (1) Verify the provider (confirm 'HubLinkPro' and the owner are legitimate); (2) Only provide a GHL API key with the minimum permissions needed (avoid using an account-wide admin key); (3) Expect PII (contact names/emails/phones/notes) to be sent to https://services.leadconnectorhq.com—ensure that endpoint and your data-sharing policy are acceptable; (4) Be aware of SMS costs or outbound messaging side effects (sending SMS could incur charges); (5) If you need higher confidence, ask the publisher for a homepage or repo, or request the skill be republished with a primary credential set to GHL_API_KEY and clear provenance. If you cannot verify the author/source, treat the skill as untrusted and avoid providing production API keys or real contact data.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971n1dfqa8hc7jw59780be66x839dvv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq
EnvGHL_API_KEY, GHL_LOCATION_ID

SKILL.md

HubLinkPro GHL API Skill

Base URL: https://services.leadconnectorhq.com Auth header: Authorization: Bearer $GHL_API_KEY All requests include: Version: 2021-07-28

Get Contact by Phone or Email

curl -s -H "Authorization: Bearer $GHL_API_KEY" -H "Version: 2021-07-28"
"https://services.leadconnectorhq.com/contacts/search/duplicate?locationId=$GHL_LOCATION_ID&email=$EMAIL" | jq .

Create or Update Contact

curl -s -X POST "https://services.leadconnectorhq.com/contacts/"
-H "Authorization: Bearer $GHL_API_KEY" -H "Version: 2021-07-28" -H "Content-Type: application/json"
-d '{"firstName":"$FIRST","lastName":"$LAST","email":"$EMAIL","phone":"$PHONE","locationId":"'$GHL_LOCATION_ID'","tags":["$TAGS"],"source":"$SOURCE"}' | jq .

Add Tags to Contact

curl -s -X POST "https://services.leadconnectorhq.com/contacts/$CONTACT_ID/tags"
-H "Authorization: Bearer $GHL_API_KEY" -H "Version: 2021-07-28" -H "Content-Type: application/json"
-d '{"tags":["$TAG1","$TAG2"]}' | jq .

Create Opportunity (Pipeline Deal)

curl -s -X POST "https://services.leadconnectorhq.com/opportunities/"
-H "Authorization: Bearer $GHL_API_KEY" -H "Version: 2021-07-28" -H "Content-Type: application/json"
-d '{"pipelineId":"$PIPELINE_ID","locationId":"'$GHL_LOCATION_ID'","name":"$DEAL_NAME","stageId":"$STAGE_ID","contactId":"$CONTACT_ID","status":"open"}' | jq .

Move Opportunity Stage

curl -s -X PUT "https://services.leadconnectorhq.com/opportunities/$OPP_ID/status"
-H "Authorization: Bearer $GHL_API_KEY" -H "Version: 2021-07-28" -H "Content-Type: application/json"
-d '{"stageId":"$NEW_STAGE_ID"}' | jq .

List Pipelines

curl -s -H "Authorization: Bearer $GHL_API_KEY" -H "Version: 2021-07-28"
"https://services.leadconnectorhq.com/opportunities/pipelines?locationId=$GHL_LOCATION_ID" | jq .

Send SMS via Conversations API

curl -s -X POST "https://services.leadconnectorhq.com/conversations/messages"
-H "Authorization: Bearer $GHL_API_KEY" -H "Version: 2021-07-28" -H "Content-Type: application/json"
-d '{"type":"SMS","contactId":"$CONTACT_ID","message":"$MESSAGE"}' | jq .

Search Contacts by Tag

curl -s -H "Authorization: Bearer $GHL_API_KEY" -H "Version: 2021-07-28"
"https://services.leadconnectorhq.com/contacts/?locationId=$GHL_LOCATION_ID&query=$SEARCH_TERM&limit=20" | jq .

Get Contact Activity / Notes

curl -s -H "Authorization: Bearer $GHL_API_KEY" -H "Version: 2021-07-28"
"https://services.leadconnectorhq.com/contacts/$CONTACT_ID/notes" | jq .

Add Note to Contact

curl -s -X POST "https://services.leadconnectorhq.com/contacts/$CONTACT_ID/notes"
-H "Authorization: Bearer $GHL_API_KEY" -H "Version: 2021-07-28" -H "Content-Type: application/json"
-d '{"body":"$NOTE_TEXT"}' | jq .

Trigger Workflow for Contact

curl -s -X POST "https://services.leadconnectorhq.com/contacts/$CONTACT_ID/workflow/$WORKFLOW_ID"
-H "Authorization: Bearer $GHL_API_KEY" -H "Version: 2021-07-28" -H "Content-Type: application/json" | jq .

Key HubLinkPro Context

  • Location: Tri-Cities TN (Johnson City, Kingsport, Bristol)
  • Pipelines: HLP – Sellers, New Construction, Pre-Foreclosure
  • Tags: new-lead, fb-seller, new-construction, pre-foreclosure, contacted, qualified, nurture
  • Agents: Tasha, Nate, Cory, Laura, Mary Ellen, Josh
  • When assigning leads, use tag format: agent-{firstname}

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…