Back to skill
Skillv1.0.0
ClawScan security
GoHighLevel Open Account · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 10, 2026, 4:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only guide for creating GoHighLevel developer accounts and apps and does not request unexplained credentials, install software, or perform out-of-scope actions.
- Guidance
- This skill is a plain guide and appears coherent with its purpose. Before using it: (1) avoid pasting Client Secret or access tokens into chat — perform the OAuth flow in a browser and store secrets in a secrets manager or env vars as recommended; (2) verify the required GoHighLevel plan (Agency Pro for full OAuth features) before proceeding; (3) be aware the sign-up link includes an affiliate/referral parameter if you prefer using a neutral link; (4) when connecting bots, grant only the scopes needed and use a secure redirect URI; (5) because this is instruction-only, the agent will not itself hold or transmit credentials unless you explicitly provide them — treat any prompt for secrets with caution.
Review Dimensions
- Purpose & Capability
- okName and description match the content: SKILL.md walks an agent through signing up, creating a Marketplace app, and running an OAuth flow. No unrelated environment variables, binaries, or installs are requested.
- Instruction Scope
- noteInstructions stay within the stated purpose (sign-up, app creation, OAuth). It recommends storing Client ID/Secret in env vars or a secrets manager (appropriate). Minor note: the sign-up link includes an affiliate/referral parameter; that biases where the agent is directed but is not a security risk by itself. The doc references connecting specific bots (clawdbot/moltbot/open claw) which is consistent with purpose.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill (lowest install risk).
- Credentials
- okThe skill declares no required environment variables or credentials. It sensibly advises storing the Client ID/Client Secret in env vars or a secrets manager but does not demand them. No unrelated credentials are requested.
- Persistence & Privilege
- okSkill does not request always:true or special privileges. Model invocation and user-invocation flags are left at defaults; this is typical for an instruction-only guidance skill.