功能描述

Connect your AI assistant to GoHighLevel CRM via the official API v2. Manage contacts, conversations, calendars, pipelines, invoices, payments, workflows, an...

使用说明 (SKILL.md)

GoHighLevel API Skill

Name: GoHighLevel
Author: 10xcoldleads

Turn your AI assistant into a GoHighLevel command center. Search contacts, send messages, book appointments, manage pipelines, create invoices, schedule social posts — across all 39 GHL API v2 endpoint groups, using plain English.

Don't have GoHighLevel yet? Start with the free 5-Day AI Employee Challenge and build a fully automated system: 👉 Start the 5-Day AI Employee Challenge

Requirements

Requirement	Details
Runtime	Python 3.6+ (uses only standard library: `urllib`, `json`, `os`, `re`, `sys`, `time`)
External packages	None — zero `pip install` required
Environment variables	`HIGHLEVEL_TOKEN` (Primary — your Private Integration bearer token)
	`HIGHLEVEL_LOCATION_ID` (your sub-account Location ID)
Network access	HTTPS to `services.leadconnectorhq.com` only

Base URL: https://services.leadconnectorhq.com Required Headers: Authorization: Bearer $HIGHLEVEL_TOKEN + Version: 2021-07-28 Rate Limits: 100 requests/10 seconds burst, 200K/day per location

Security Design

All API functions use pre-defined endpoint paths — there is no arbitrary HTTP request capability. Every user-supplied ID is validated against a strict alphanumeric regex (^[a-zA-Z0-9_-]{1,128}$) before being included in any URL path, preventing path traversal and injection. The scripts use only Python's built-in urllib.request for all network calls. No shell commands, no external binaries, no file writes outside of stdout.

Setup — `/highlevel-setup`

If the user says "set up highlevel", "connect my GHL", or /highlevel-setup, run the setup wizard:

python3 scripts/setup-wizard.py

The wizard automatically: checks environment variables → guides Private Integration creation → tests the connection → pulls first 5 contacts as a quick win.

Manual Setup (if wizard can't run)

Step 1: Create a Private Integration (NOT the old API Keys method)

Log into app.gohighlevel.com
Switch to your Sub-Account (recommended for single-location use)
Click Settings (bottom-left gear icon)
Select Private Integrations in the left sidebar
- If not visible, enable it first: Settings → Labs → toggle Private Integrations ON
Click "Create new Integration"
Enter a name (e.g., "Claude AI Assistant") and description

Grant only the scopes you need (least-privilege recommended):

Use case	Recommended scopes
Contact management only	`contacts.readonly`, `contacts.write`
Contacts + messaging	Above + `conversations.readonly`, `conversations.write`, `conversations/message.write`
Full CRM (contacts, calendar, pipeline)	Above + `calendars.readonly`, `calendars.write`, `opportunities.readonly`, `opportunities.write`
Adding workflows & invoices	Above + `workflows.readonly`, `invoices.readonly`, `invoices.write`
Read-only reporting	`contacts.readonly`, `opportunities.readonly`, `calendars.readonly`, `invoices.readonly`, `locations.readonly`

You can always add more scopes later in Settings → Private Integrations → Edit without regenerating the token.

Click Create → Copy the token IMMEDIATELY — it is shown only once and cannot be retrieved later

Agency vs Sub-Account Integrations

Feature	Agency Integration	Sub-Account Integration
Created at	Agency Settings → Private Integrations	Sub-Account Settings → Private Integrations
Access scope	Agency + all sub-accounts (pass `locationId`)	Single location only
Available scopes	All scopes including `locations.write`, `oauth.`, `saas.`, `snapshots.*`, `companies.readonly`	Sub-account scopes only
Best for	Multi-location management, SaaS configurator	Single client integrations (recommended default)

Recommendation: Start with a Sub-Account integration and the minimum scopes you need. You can upgrade to Agency-level later if you need multi-location access.

Step 2: Get Your Location ID

While in the sub-account, go to Settings → Business Info (or Business Profile)
The Location ID is displayed in the General Information section
Alternative: check the URL bar — it's the ID after /location/ in app.gohighlevel.com/v2/location/{LOCATION_ID}/...

Step 3: Set Environment Variables

export HIGHLEVEL_TOKEN="your-private-integration-token"
export HIGHLEVEL_LOCATION_ID="your-location-id"

Step 4: Test Connection

Run python3 scripts/ghl-api.py test_connection — should return location name and status.

After successful setup, pull 5 contacts as a quick win to confirm everything works.

Helper Script

scripts/ghl-api.py — Executable Python script (stdlib only) with built-in retry logic, pagination, input validation, and error handling.

Core Commands:

Command	Description
`test_connection`	Verify token + location ID work
`search_contacts [query]`	Search by name, email, or phone
`get_contact [id]`	Get full contact details
`create_contact [json]`	Create new contact
`update_contact [id] [json]`	Update contact fields
`list_opportunities`	List pipeline opportunities
`list_conversations`	List recent conversations
`send_message [contactId] [message]`	Send SMS/email
`list_calendars`	List all calendars
`get_free_slots [calendarId] [startDate] [endDate]`	Available booking slots
`list_workflows`	List all workflows
`add_to_workflow [contactId] [workflowId]`	Enroll contact in workflow
`list_invoices`	List invoices
`list_products`	List products
`list_forms`	List forms
`list_campaigns`	List campaigns
`get_location_details`	Get location info
`list_location_tags`	List location tags
`list_courses`	List courses/memberships

All functions are safe, pre-defined endpoints. No arbitrary request capability.

Complete API v2 Coverage (39 Endpoint Groups)

The skill provides safe, specific functions for all major GHL operations. Each function maps to a specific, allowed API endpoint with validated parameters.

#	Group	Base Path	Key Operations	Scope Prefix
1	Contacts	`/contacts/`	CRUD, search, upsert, tags, notes, tasks, bulk ops	`contacts`
2	Conversations	`/conversations/`	Search, messages (SMS/email/WhatsApp/FB/IG/chat), recordings	`conversations`
3	Calendars	`/calendars/`	CRUD, free slots, groups, resources, appointments	`calendars`
4	Opportunities	`/opportunities/`	CRUD, search, pipelines, stages, status, followers	`opportunities`
5	Workflows	`/workflows/`	List workflows, enroll/remove contacts	`workflows`
6	Campaigns	`/campaigns/`	List campaigns (read-only)	`campaigns`
7	Invoices	`/invoices/`	CRUD, send, void, record payment, Text2Pay, schedules, estimates	`invoices`
8	Payments	`/payments/`	Orders, transactions, subscriptions, coupons, providers	`payments`
9	Products	`/products/`	CRUD, prices, collections, reviews, store stats	`products`
10	Locations	`/locations/`	Get/update location, custom fields, custom values, tags, templates	`locations`
			Custom Fields CRUD:
			`GET /locations/{id}/customFields` — List
			`POST /locations/{id}/customFields` — Create
			`PUT /locations/{id}/customFields/{fid}` — Update
			`DELETE /locations/{id}/customFields/{fid}` — Delete
			Custom Values CRUD:
			`GET /locations/{id}/customValues` — List
			`POST /locations/{id}/customValues` — Create
			`PUT /locations/{id}/customValues/{vid}` — Update
			`DELETE /locations/{id}/customValues/{vid}` — Delete
			Tags CRUD:
			`GET /locations/{id}/tags` — List
			`POST /locations/{id}/tags` — Create
			`PUT /locations/{id}/tags/{tid}` — Update
			`DELETE /locations/{id}/tags/{tid}` — Delete
11	Users	`/users/`	CRUD, filter by email/role	`users`
12	Forms	`/forms/`	List forms, get submissions	`forms`
13	Surveys	`/surveys/`	List surveys, get submissions	`surveys`
14	Funnels	`/funnels/`	List funnels, pages, redirects	`funnels`
15	Social Planner	`/social-media-posting/`	Posts CRUD, accounts, CSV import, categories, stats	`socialplanner`
16	Blogs	`/blogs/`	Create/update posts, categories, authors	`blogs`
17	Email	`/emails/`	Templates CRUD, scheduled emails	`emails`
18	Media	`/medias/`	Upload, list, delete files	`medias`
19	Trigger Links	`/links/`	CRUD trigger links	`links`
20	Businesses	`/businesses/`	CRUD businesses	`businesses`
21	Companies	`/companies/`	Get company details (Agency)	`companies`
22	Custom Objects	`/objects/`	Schema CRUD, record CRUD	`objects`
23	Associations	`/associations/`	CRUD associations and relations	`associations`
24	Proposals/Docs	`/proposals/`	Documents, contracts, templates	`documents_contracts`
25	Snapshots	`/snapshots/`	List, status, share links (Agency)	`snapshots`
26	SaaS	`/saas/`	Subscription mgmt, plans, bulk ops (Agency $497)	`saas`
27	Courses	`/courses/`	Import courses/memberships	`courses`
28	Voice AI	`/voice-ai/`	Call logs, agent CRUD, actions, goals	`voice-ai`
29	Phone System	`/phone-system/`	Phone numbers, number pools	`phonenumbers`
30	Custom Menus	`/custom-menus/`	CRUD custom menu links (Agency)	`custom-menu-link`
31	OAuth	`/oauth/`	Token exchange, installed locations	`oauth`
32	Marketplace	`/marketplace/`	Installations, billing, charges	`marketplace`
33	Conversation AI	`/conversation-ai/`	AI chatbot configuration	—
34	Knowledge Base	`/knowledge-base/`	Knowledge base for AI features	—
35	AI Agent Studio	`/agent-studio/`	Custom AI agent CRUD	—
36	Brand Boards	`/brand-boards/`	Brand board management	—
37	Store	`/store/`	E-commerce store management	—
38	LC Email	`/lc-email/`	Email infrastructure (ISV)	—
39	Custom Fields	`/locations/:id/customFields/`	Custom field CRUD	`locations/customFields`

Reference Docs (load on demand)

For detailed endpoint paths, parameters, and examples for each group:

references/contacts.md — Contact CRUD, search, tags, notes, tasks, bulk operations
references/conversations.md — Messaging across all channels, recordings, transcriptions
references/calendars.md — Calendar CRUD, free slots, appointments, groups, resources
references/opportunities.md — Pipeline management, stages, status updates
references/invoices-payments.md — Invoices, payments, orders, subscriptions, products
references/locations-users.md — Location settings, custom fields/values, users, tags
references/social-media.md — Social planner posts, accounts, OAuth connections
references/forms-surveys-funnels.md — Forms, surveys, funnels, trigger links
references/advanced.md — Custom objects, associations, snapshots, SaaS, Voice AI, blogs, courses
references/troubleshooting.md — Common errors, rate limits, token rotation, debugging

Important Notes

Private Integrations are required — the old Settings → API Keys method is deprecated/EOL
Token rotation: Tokens don't auto-expire but GHL recommends 90-day rotation. Unused tokens auto-expire after 90 days inactivity
- "Rotate and expire later" — new token generated, old token stays active for 7-day grace period
- "Rotate and expire now" — old token invalidated immediately (use for compromised credentials)
- You can edit scopes without regenerating the token
OAuth tokens (marketplace apps only): Access tokens expire in 24 hours (86,399s); refresh tokens last up to 1 year
Agency tokens can access sub-account data by passing locationId parameter
Rate limits are per-resource — each sub-account independently gets 100/10s burst + 200K/day. SaaS endpoints: 10 req/sec global
All list endpoints default to 20 records, max 100 per page via limit param
Use cursor pagination with startAfter / startAfterId for large datasets
Monitor rate limits via response headers: X-RateLimit-Limit-Daily, X-RateLimit-Daily-Remaining, X-RateLimit-Max, X-RateLimit-Remaining, X-RateLimit-Interval-Milliseconds
$497 Agency Pro plan required for: SaaS Configurator, Snapshots, full agency management APIs

Webhook Events

50+ webhook event types for real-time notifications. Key events: ContactCreate, ContactDelete, ContactTagUpdate, InboundMessage, OutboundMessage, OpportunityCreate, OpportunityStageUpdate, OpportunityStatusUpdate, appointment events, payment events, form submission events. Webhooks continue firing even if access token expires. Config is per marketplace app. Docs: https://marketplace.gohighlevel.com/docs/webhook/WebhookIntegrationGuide

Official SDKs & Developer Resources

Node.js: @gohighlevel/api-client (npm) — supports privateIntegrationToken config, auto 401 retry
Python: gohighlevel-api-client (PyPI) — session storage, auto token refresh, webhook middleware
PHP SDK also available
All SDKs use apiVersion: '2021-07-28'
OpenAPI Specs: https://github.com/GoHighLevel/highlevel-api-docs
API Docs: https://marketplace.gohighlevel.com/docs/
Developer Slack: https://developers.gohighlevel.com/join-dev-community

Built by Ty Shane

🌐 LaunchMyOpenClaw.com • 🌐 MyFBLeads.com ▶️ YouTube @10xcoldleads • 📘 Facebook • 💼 LinkedIn 📧 [email protected]

No GoHighLevel account yet? → Start the free 5-Day AI Employee Challenge

安全使用建议

This skill appears coherent and implements a standard GoHighLevel API client. Before installing or running it: 1) Only provide a Private Integration token created for a sub-account and grant the minimum scopes required; avoid agency-level scopes unless you need them. 2) Do not paste your token into public chat or third-party sites. 3) Review the included scripts locally (they are stdlib-only) before running them to confirm they behave as expected. 4) If you are concerned about blast radius, create a test sub-account and a token with read-only scopes to validate functionality first. 5) Note the small metadata mismatch (SKILL.md marks HIGHLEVEL_TOKEN as primary while registry metadata shows none) — this is likely bookkeeping, not functionally harmful, but you may want the publisher to correct it.

功能分析

Type: OpenClaw Skill Name: highlevel Version: 1.0.7 The skill is well-engineered, using only Python's standard library and implementing strict input validation for IDs to prevent path traversal and URL injection in `scripts/ghl-api.py`. Network access is correctly restricted to the GoHighLevel API base URL. However, the skill is classified as 'suspicious' due to the inherent vulnerability surface for prompt injection against the AI agent. The `ghl-api.py` script allows the agent to pass arbitrary JSON content (e.g., for `create_contact`, `send_message`, `create_social_post`) directly to the GoHighLevel API. While the skill itself does not contain malicious code or attempt to exfiltrate data, a compromised AI agent could be prompted to construct and send harmful data (e.g., phishing messages, malicious URLs for attachments if the GHL API is vulnerable to SSRF) via these API calls, leveraging the skill's legitimate functionality for unintended purposes. The `SKILL.md` documentation itself does not contain malicious prompt injection attempts.

能力评估

✓ Purpose & Capability

Name/description (GoHighLevel CRM via API v2) match the included scripts and reference docs. The two required env vars (HIGHLEVEL_TOKEN, HIGHLEVEL_LOCATION_ID) are exactly what an API client for this service needs. The code targets services.leadconnectorhq.com and implements endpoints documented in the references.

✓ Instruction Scope

SKILL.md and the included setup and API helper scripts only read the declared environment variables and make HTTPS calls to the stated Base URL. The setup wizard is interactive and does not attempt to read unrelated files or send data to third-party endpoints outside the documented GHL API. The skill explicitly validates IDs and uses urllib (no shell commands).

✓ Install Mechanism

No install spec or external downloads are present. The skill is instruction-only with bundled Python stdlib scripts — nothing is written to disk by an installer and no external packages are pulled.

ℹ Credentials

The two requested environment variables (HIGHLEVEL_TOKEN and HIGHLEVEL_LOCATION_ID) are appropriate for the stated purpose. Minor metadata inconsistency: registry metadata lists no primary credential while SKILL.md calls HIGHLEVEL_TOKEN the Primary token. Otherwise there are no unrelated secrets requested. Be aware that the provided token's scopes determine the privilege level (some endpoints can delete locations or manage billing when given agency-level scopes).

✓ Persistence & Privilege

The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide settings. The setup wizard sets env vars in-process only (does not persist configuration to files) and helper scripts print output to stdout; there is no installer creating persistent agents or background services.

版本历史

v1.0.7

- Added a new metadata section to SKILL.md, specifying the author, version, and required environment variables. - No code or functionality changes; documentation and metadata only. - The skill version in SKILL.md remains 1.2.0.

v1.0.6

- Updated version to 1.2.0. - Expanded description to reflect 100+ pre-built, safe API commands (previously 40+). - Added .clawhub/origin.json file for improved origin tracking. - No breaking changes to setup or usage.

v1.0.5

**Version 1.1.0 — Security hardening, zero dependencies, and improved setup guidance** - Now requires Python 3.6+ with no external packages (stdlib-only: urllib, json, os, re, sys, time). - Strengthened security: all API calls use only pre-defined endpoint paths with strict input validation and no shell/file operations. - Improved setup instructions: recommend least-privilege scopes and sub-account integrations by default. - Expanded documentation for helper script usage and scope selection. - No functional or file-level changes; this update is documentation and metadata only.

v1.0.4

- Removed the file scripts/test-connection-fixed.py. - No functionality changes; this update cleans up unused or redundant test scripts.

v1.0.3

v1.0.3 Changelog - Tightened security: skill now only exposes safe, specific functions for each GoHighLevel API operation. - Removed arbitrary endpoint access via custom request; only validated, documented commands are allowed. - Added new helper functions: get_location_details, list_location_tags, and list_courses. - Updated documentation to reflect changes in function availability and clarify API usage. - No changes to existing setup or environment requirements.

v1.0.2

-Added Auto Pagination when pulling data with limited array returns

v1.0.1

- Added _meta.json file for enhanced metadata management. - Introduced scripts/test-connection-fixed.py for more robust connection testing. - No changes to existing features or user-facing functionality.

v1.0.0

Initial release: Connect and manage your GoHighLevel CRM directly through Openclaw. - Provides interactive setup wizard and detailed manual setup instructions for the GoHighLevel API v2. - Supports over 39 endpoint groups: contacts, conversations, calendars, pipelines, invoices, payments, workflows, social media, and more. - Includes more than 40 pre-built API commands, plus a universal `custom_request` command for full endpoint coverage. - Features a helper Python script with retry logic and error handling for CLI management. - Designed for both agency-wide and sub-account access with detailed environment variable configuration.

元数据

Slug highlevel

版本 1.0.7

许可证 —

累计安装 6

当前安装数 5

历史版本数 8

常见问题

GoHighLevel 是什么？

Connect your AI assistant to GoHighLevel CRM via the official API v2. Manage contacts, conversations, calendars, pipelines, invoices, payments, workflows, an... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1927 次。

如何安装 GoHighLevel？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install highlevel」即可一键安装，无需额外配置。

GoHighLevel 是免费的吗？

是的，GoHighLevel 完全免费（开源免费），可自由下载、安装和使用。

GoHighLevel 支持哪些平台？

GoHighLevel 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 GoHighLevel？

由 10xcoldleads（@10xcoldleads）开发并维护，当前版本 v1.0.7。

GoHighLevel