Critical-risk tools in GoHighLevel MCP Server
88 of the 566 tools in GoHighLevel MCP Server are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
bulk_delete_social_postsDestructiveDelete multiple social media posts at once (max 50)
-
cancel_scheduled_campaign_messageDestructiveCancel a scheduled campaign message for a contact
-
cancel_scheduled_emailDestructiveCancel a scheduled email before it is sent
-
cancel_scheduled_messageDestructiveCancel a scheduled message before it is sent
-
delete_affiliateDestructiveRemove an affiliate
-
delete_affiliate_campaignDestructiveDelete an affiliate campaign
-
delete_api_keyDestructiveDelete/revoke an API key
-
delete_appointmentDestructiveCancel/delete an appointment from GoHighLevel
-
delete_appointment_noteDestructiveDelete an appointment note
-
delete_businessDestructiveDelete a business from a location
-
delete_calendarDestructiveDelete a calendar from GoHighLevel
-
delete_calendar_groupDestructiveDelete a calendar group
-
delete_calendar_notificationDestructiveDelete calendar notification
-
delete_calendar_resource_equipmentDestructiveDelete an equipment resource
-
delete_calendar_resource_roomDestructiveDelete a room resource
-
delete_caller_idDestructiveDelete a caller ID
-
delete_campaignDestructiveDelete a campaign
-
delete_companyDestructiveDelete a company record
-
delete_contactDestructiveDelete a contact from GoHighLevel
-
delete_contact_noteDestructiveDelete a note for a contact
-
delete_contact_taskDestructiveDelete a task for a contact
-
delete_conversationDestructiveDelete a conversation permanently
-
delete_couponDestructiveDelete a coupon permanently
-
delete_courseDestructiveDelete a course
-
delete_course_categoryDestructiveDelete a course category
-
delete_course_offerDestructiveDelete a course offer
-
delete_course_postDestructiveDelete a course post/lesson
-
delete_course_productDestructiveDelete a course product
-
delete_custom_menuDestructiveDelete a specific custom menu link from the system. The custom menu is identified by its unique ID.
-
delete_custom_provider_integrationDestructiveDelete an existing custom payment provider integration
-
delete_email_campaign_v2DestructiveDelete an Email Campaign V2 campaign.
-
delete_email_templateDestructiveDelete an email template from GoHighLevel.
-
delete_funnel_redirectDestructiveDelete a funnel redirect
-
delete_invoice_templateDestructiveDelete an invoice template
-
delete_ivr_menuDestructiveDelete an IVR menu
-
delete_linkDestructiveDelete a trigger link
-
delete_locationDestructiveDelete a sub-account/location from GoHighLevel
-
delete_location_custom_fieldDestructiveDelete a custom field from a location
-
delete_location_custom_valueDestructiveDelete a custom value from a location
-
delete_location_tagDestructiveDelete a location tag
-
delete_location_templateDestructiveDelete a template from a location
-
delete_marketplace_installationDestructiveUninstall an application from your company or a specific location. This will remove the application\
-
delete_media_fileDestructiveDelete a specific file or folder from the media library
-
delete_noteDestructiveDelete a top-level GHL note by ID.
-
delete_object_recordDestructiveDelete a record from a custom or standard object
-
delete_opportunityDestructiveDelete an opportunity from GoHighLevel CRM
-
delete_review_replyDestructiveDelete a review reply
-
delete_smart_listDestructiveDelete a smart list
-
delete_sms_templateDestructiveDelete an SMS template
-
delete_snippetDestructiveDelete a snippet
-
delete_social_accountDestructiveDelete a social media account connection
-
delete_social_postDestructiveDelete a social media post
-
delete_social_templateDestructiveDelete a social template
-
delete_triggerDestructiveDelete a trigger
-
delete_userDestructiveDelete a user/team member from a location
-
delete_voice_ai_actionDestructiveDelete a voice AI agent action.
-
delete_voice_ai_agentDestructiveDelete a voice AI agent and all its configurations.
-
delete_voicemailDestructiveDelete a voicemail message
-
delete_voicemail_templateDestructiveDelete a voicemail template
-
delete_webhookDestructiveDelete a webhook
-
delete_whatsapp_templateDestructiveDelete a WhatsApp template
-
ghl_delete_agentDestructivePermanently delete an AI agent and all its versions. This action is irreversible.
-
ghl_delete_associationDestructiveDelete a user-defined association. This will also delete all relations created with this association.
-
ghl_delete_custom_fieldDestructiveDelete a custom field by ID. This will permanently remove the field and its data.
-
ghl_delete_custom_field_folderDestructiveDelete a custom field folder. This will also affect any fields within the folder.
-
ghl_delete_email_domainDestructiveRemove a sending domain from a location. Emails using this domain will no longer be sent after removal.
-
ghl_delete_productDestructiveDelete a product by ID
-
ghl_delete_relationDestructiveDelete a specific relation between two entities.
-
ghl_delete_shipping_carrierDestructiveDelete a shipping carrier
-
ghl_delete_shipping_rateDestructiveDelete a shipping rate
-
ghl_delete_shipping_zoneDestructiveDelete a shipping zone and all its associated shipping rates
-
ghl_delete_surveyDestructivePermanently delete a survey and all its data. This action is irreversible.
-
ghl_delete_workflowDestructivePermanently delete a workflow by ID. This cannot be undone.
-
ghl_release_phone_numberDestructiveRelease (remove) a purchased phone number from a location. This will stop billing for the number.
-
release_phone_numberDestructiveRelease/delete a phone number
-
remove_contact_from_all_campaignsDestructiveRemove contact from all campaigns
-
remove_contact_from_campaignDestructiveRemove contact from a specific campaign
-
remove_contact_from_workflowDestructiveRemove contact from a workflow
-
remove_course_enrollmentDestructiveRemove a contact from a course
-
create_billing_chargeFinancialCreate a new wallet charge for a location. Used to bill sub-accounts for usage-based features in your marketplace app.
-
delete_billing_chargeFinancialDelete a wallet charge by charge ID. This removes/refunds the specified charge.
-
send_invoiceFinancialSend an invoice to customer
-
ghl_buy_phone_numberFinancialPurchase an available phone number for a location. The number will be billed to the location account.
-
purchase_phone_numberFinancialPurchase a phone number
-
record_order_paymentFinancialRecord a manual payment for an order
-
verify_emailFinancialVerify email address deliverability and get risk assessment. Charges will be deducted from the specified location wallet.
-
create_payoutFinancialCreate a payout for affiliate
-
update_saas_subscriptionFinancialUpdate SaaS subscription settings for a location
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.