GoHighLevel Open Account

Security checks across malware telemetry and agentic risk

Overview

This is a non-executing GoHighLevel setup guide whose OAuth and credential handling are expected for its purpose, with normal caution needed around secrets.

Before installing, understand that this skill helps create GoHighLevel app credentials and OAuth access that may authorize access to agency or sub-account data. Use the minimum scopes needed, confirm the account being connected, keep Client Secrets and tokens out of normal chat, logs, screenshots, and repositories, store them only in an approved secrets manager, and use a direct GoHighLevel URL if you do not want to use the referral signup link.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs agents to obtain Client ID, Client Secret, and OAuth tokens and mentions secure storage, but it does not clearly warn that these secrets must never be requested in plain chat, logged, echoed back, or retained outside an approved secret store. In an agentic setting, that omission is risky because an agent may prompt the user to paste sensitive credentials into the conversation or mishandle tokens during the OAuth flow, leading to account compromise or unauthorized API access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal