Critical-risk tools in GoHighLevel MCP Server
67 of the 406 tools in GoHighLevel MCP Server are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
bulk-delete-media-objectsDestructiveSoft-deletes or trashes multiple files and folders in a single request
-
bulk-delete-social-planner-postsDestructiveDeletes multiple posts based on the provided list of post IDs. This operation is useful for clearing up large numbers of posts efficiently. ...
-
cancel-invoice-scheduleDestructiveAPI to cancel a scheduled invoice by schedule id
-
cancel-scheduled-email-messageDestructivePost the messageId for the API to delete a scheduled email message. <br />
-
cancel-scheduled-messageDestructivePost the messageId for the API to delete a scheduled message. <br />
-
delete-accountDestructiveDelete account and account from group
-
delete-actionDestructiveDelete an existing action from a voice AI agent. This permanently removes the action and its configuration.
-
delete-agentDestructiveDelete a voice AI agent and all its configurations
-
DELETE-an-email-sms-templateDestructiveDELETE an email/sms template
-
delete-appointment-noteDestructiveDelete Note
-
delete-associationDestructiveDelete USER_DEFINED Association By Id, deleting an association will also all the relations for that association
-
delete-BusinessDestructiveDelete Business
-
delete-calendarDestructiveDelete calendar by ID
-
delete-calendar-resourceDestructiveDelete calendar resource by ID
-
delete-contactDestructiveDelete Contact
-
delete-contact-from-workflowDestructiveDelete Contact from Workflow
-
delete-conversationDestructiveDelete the conversation details based on the conversation ID
-
delete-couponDestructiveThe
-
delete-csvDestructiveDelete CSV
-
delete-csv-postDestructiveDelete CSV Post
-
delete-custom-fieldDestructive<div> <p> Delete Custom Field By Id </p> <div> <span style=
-
delete-custom-field-2DestructiveDelete Custom Field
-
delete-custom-field-folderDestructive<div> <p> Create Custom Field Folder </p> <div> <span style=
-
delete-custom-menuDestructiveRemoves a specific custom menu from the system. This operation requires authentication and proper permissions. The custom menu is identified by its unique ID, and the operation ...
-
delete-custom-valueDestructiveDelete Custom Value
-
delete-estimateDestructiveDelete an existing estimate
-
delete-estimate-templateDestructiveDelete an existing estimate template
-
delete-eventDestructiveDelete event by ID
-
delete-event-notificationDestructiveDelete notification
-
delete-groupDestructiveDelete Group
-
delete-integrationDestructiveAPI to delete an association for an app and location
-
delete-invoiceDestructiveAPI to delete invoice by invoice id
-
delete-invoice-scheduleDestructiveAPI to delete an schedule by schedule id
-
delete-invoice-templateDestructiveAPI to update an template by template id
-
delete-linkDestructiveDelete Link
-
delete-locationDestructiveDelete a Sub-Account (Formerly Location) from the Agency
-
delete-media-contentDestructiveDeletes specific file or folder from the media library
-
delete-noteDestructiveDelete Note
-
delete-object-recordDestructiveDelete Record By Id . Supported Objects are business and custom objects.
-
delete-opportunityDestructiveDelete Opportunity
-
delete-postDestructiveDelete Post
-
delete-price-by-id-for-productDestructiveThe
-
delete-product-by-idDestructiveThe
-
delete-product-collectionDestructiveDelete specific product collection with Id :collectionId
-
delete-product-reviewDestructiveDelete specific product review
-
delete-recurring-taskDestructiveDelete Recurring Task
-
delete-redirect-by-idDestructiveThe
-
delete-shipping-carrierDestructiveDelete specific shipping carrier with Id :shippingCarrierId
-
delete-shipping-rateDestructiveDelete specific shipping rate with Id :shippingRateId
-
delete-shipping-zoneDestructiveDelete specific shipping zone with Id :shippingZoneId
-
delete-tagDestructiveDelete tag
-
delete-taskDestructiveDelete Task
-
delete-templateDestructiveDelete a template
-
delete-userDestructiveDelete User
-
remove-contact-from-campaignDestructiveRemove Contact From Campaign
-
remove-contact-from-every-campaignDestructiveRemove Contact From Every Campaign
-
uninstall-applicationDestructiveUninstalls an application from your company or a specific location. This will remove the application\
-
void-invoiceDestructiveAPI to delete invoice by invoice id
-
chargeFinancialCreate a new wallet charge
-
deleteChargeDestructiveDelete a wallet charge
-
send-invoiceFinancialAPI to send invoice by invoice id
-
record-invoiceFinancialAPI to record manual payment for an invoice by invoice id
-
record-order-paymentFinancialThe
-
auto-payment-invoice-scheduleFinancialAPI to manage auto payment for a schedule
-
bulkUpdateDestructiveAPI to bulk update products (price, availability, collections, delete)
-
generate-payment-linkFinancialUpdate SaaS subscription for given locationId and customerId
-
update-saas-subscription-deprecatedFinancialUpdate SaaS subscription for given locationId and customerId
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.