jake/clawdbot-workspace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
clawdbot-workspace/pentest-superfunnels/FUNNEL-CREATION-REPORT.md
Jake Shore 16db42bf7e Daily backup: 2026-02-06
2026-02-06 23:01:30 -05:00

15 KiB
Raw Permalink Blame History

SuperFunnels AI — Funnel Creation Walkthrough Report

Date: February 6, 2026
Researcher: Automated walkthrough via Clawdbot
Account: jake@burtonmethod.com (logged in as Jake Shore)
Account Email on File: sftesta6577921@virgilian.com
Plan: Free ($0, 3 credits, limited to 1 GHL account)
Tokens Balance: 0

Executive Summary

SuperFunnels AI is a HighLevel (GHL) funnel cloning/generation tool built on Laravel/Filament with Livewire components. The Funnel Wizard is completely gated behind GoHighLevel account connection — without valid GHL credentials, you cannot access any funnel creation functionality. The app requires both GHL API connection AND a login session (browser-based) to function.

The funnel creation wizard (visible via tutorial video thumbnail) collects business information and uses AI to generate funnel copy, then deploys directly to GHL.

Step-by-Step Walkthrough

Step 1: Login (Already Authenticated)

  • URL: https://app.superfunnelsai.com/app/login
  • Result: Session was already active from previous exploration. Redirected to dashboard.
  • Screenshot: step01-dashboard-ghl-connect.png

Step 2: Dashboard — GHL Connection Required

  • URL: https://app.superfunnelsai.com/app
  • What's shown: "Quick Setup" page with "Connect Your HighLevel Account" as the primary CTA
  • Two connection methods offered:
    1. Chrome Extension (1-Click Connect) — installs dollonnbdephinbelejjjjeidfcncfod extension
    2. HighLevel Login Credentials — opens a modal to enter GHL email/password
  • Screenshot: step04-connect-ghl-full.png
  • Key observation: The entire app is essentially non-functional without GHL connection

Step 3: GHL Login Modal

  • Triggered by: "Use HighLevel Login Credentials →" button
  • Modal fields:
    • GoHighLevel Email (placeholder: you@agency.com)
    • Password (placeholder: ••••••••)
    • Checkbox: "Remember my session (encrypted)" (checked by default)
    • Red warning text: "Login to your HighLevel account to continue."
  • API endpoint: POST /api/ghl-session/login
  • Screenshot: step02-ghl-login-modal.png

Step 4: GHL Login Attempt (Failed)

  • Entered: jake@burtonmethod.com / FMQ-gbd6qxb@zmb6mbt (SuperFunnels credentials, NOT GHL)
  • Result: "Invalid email or password" — correctly rejects non-GHL credentials
  • Screenshot: step11-ghl-login-invalid.png
  • Key insight: The system proxies login to GoHighLevel's auth system, NOT its own

Step 5: Funnel Wizard Navigation (Blocked)

  • URL attempted: https://app.superfunnelsai.com/app/funnel-cloner
  • Result: Server-side redirect back to https://app.superfunnelsai.com/app (dashboard)
  • Toast notification: "HighLevel Connection Required — Before you can start creating magic, you need to authorize your HighLevel login session"
  • Screenshot: step03-ghl-required-toast.png

Step 6: User Settings

  • URL: https://app.superfunnelsai.com/app/user-settings
  • Accessible: Yes
  • Data shown:
  • Screenshot: step05-user-settings.png
  • Finding: The displayed email differs from login email — account uses auto-generated email

Step 7: Subscription Management / Plans & Billing

  • URL: https://app.superfunnelsai.com/app/subscription-management
  • Accessible: Yes
  • Plans visible (all one-time pricing, not subscriptions):
Plan Price Credits GHL Accounts Key Features
Free (Current) $0 3 1 3 pre-selected templates
Starter $297 (was $597) 100 1 500+ template library, AI copywriting
Agency (Most Popular) $497 (was $997) 1000 100 Import any template, Super Editor license
Founder's Lifetime Deal $1,297 (was $2,997) 1500 Unlimited White label, VIP support, 24 left
  • Screenshot: step06-subscription-plans.png

Step 8: Funnel Builds

  • URL: https://app.superfunnelsai.com/app/funnel-builds
  • Accessible: Yes
  • Content: "No builds yet." — empty state
  • Screenshot: step07-funnel-builds-empty.png

Step 9: My Templates

  • URL: https://app.superfunnelsai.com/app/ghl-templates
  • Accessible: Yes
  • Content: "No Templates" — empty state with search/filter
  • Screenshot: step08-templates-empty.png

Step 10: Import GHL Templates

  • URL: https://app.superfunnelsai.com/app/ghl-templates/import
  • Accessible: Yes (page loads)
  • Content: "Upgrade required — Want to import your own templates? Upgrade to get access."
  • Screenshot: step09-import-templates-upgrade.png

Step 11: Support / FAQ

  • URL: https://app.superfunnelsai.com/app/support/get-support
  • Accessible: Yes
  • FAQ content:
    • Authentication requires GHL API connection + login session
    • "You need to use the exact same credentials you used to login to HighLevel"
    • Template import not available on all plans
  • Screenshot: step12-support-faq.png

Step 12: Tutorials Modal

  • 4 tutorial videos available:
    1. "Connecting Super Funnels AI with HighLevel" (Getting Started)
    2. "Creating a HighLevel funnel or website in Super Funnels AI" (Getting Started)
    3. "Importing HighLevel templates to your Super Funnels AI account" (Getting Started)
    4. "Importing a template from any HighLevel link" (Getting Started)
  • Screenshot: step13-tutorials-modal.png

Step 13: Tutorial Video — Funnel Creation Wizard Revealed

  • Video URL: https://www.youtube.com/watch?v=WVuQzcg1fs0
  • Title: "Creating a HighLevel funnel or website in Super Funnels AI"
  • Screenshot: step14-tutorial-video-showing-wizard.png

The video thumbnail clearly shows the Funnel Creation Wizard Form with these fields:

Field Required Placeholder/Description
Business Name MANDATORY FOR AI "Name of the business"
Business Description MANDATORY FOR AI "Describe the business in 2-3 sentences"
"FILL THE REST WITH AI" button N/A Auto-fills remaining fields from name + description
Business niche Optional "e.g., Local Bakery, Digital Marketing Agency, Fitness Studio, Restaurant, Law Firm"
Who is it for? Optional "Describe the niche, role, or demographic you're targeting"
What are you offering? Optional "Summarize the offer, service or product"
Value proposition Optional "Explain the main problem you solve and the outcome you promise"
Why choose you? Optional "Mention differentiators, proof, guarantees, awards, etc."
Call to action Optional "e.g., Book a consult, Start free trial, Claim your seat"
Tone of Voice Optional (visible but placeholder cut off)
Back / Let's GO! 🚀 N/A Navigation buttons

Technical Architecture & Findings

Tech Stack

  • Framework: Laravel (PHP) with Filament admin panel
  • Frontend: Livewire (server-side rendering) + Alpine.js + React (for GHL login modal)
  • Build tool: Vite (app-CQli-r76.js bundle)
  • Real-time: Laravel Echo + WebSockets (attempting wss://ws.app.theagencytoolkit.com)
  • CSS: Tailwind CSS
  • Hosting: Cloudflare (CDN/proxy)
  • Domain: app.superfunnelsai.com (note: WebSocket domain is app.theagencytoolkit.com)

API Endpoints Discovered

Endpoint Method Purpose
/api/ghl-session/login POST Authenticate GHL credentials (proxied to GHL auth)
/api/ghl-session/extension POST Store session from Chrome extension SSO
/api/funnel-clone/credentials DELETE Forget stored GHL session
/livewire/update POST Livewire component updates
/livewire/upload-file POST File uploads

Chrome Extension Details

  • Extension ID: dollonnbdephinbelejjjjeidfcncfod
  • Name: Super Funnels AI SSO
  • Version: 0.1.1
  • Size: 19.22 KB
  • Developer: Code & Beans AB (Swedish company)
  • Developer contact: nils@codeandbeans.se, +46 70 629 05 80
  • Communication: Uses window.postMessage with types:
    • GHL_EXTENSION_PING (from app to extension)
    • GHL_EXTENSION_READY (from extension to app)
    • GHL_EXTENSION_LOGIN_RESPONSE (from extension to app)
  • Session data captured: refresh_token, sessionToken, refreshedToken, backendAuthToken, lcApiAuthToken, apiKey, companyId, userId, userType, locationId

GHL Session Flow

  1. User clicks "Use HighLevel Login Credentials"
  2. React modal opens with email/password fields
  3. POST to /api/ghl-session/login with {email, password, remember}
  4. Server proxies to GHL auth, may return:
    • Success → page reloads, GHL connected
    • 2FA required → OTP modal shown
    • Account selection → multiple accounts picker shown
    • Invalid credentials → error message
  5. On success, encrypted session is stored server-side
  6. All subsequent GHL operations use this stored session

Funnel Clone Job System

The topbar shows a real-time progress tracker for funnel creation jobs:

  • States: idle → queued → running → completed/failed/cancelled
  • Special state: awaiting_two_factor (needs 2FA)
  • Progress stages tracked in JS:
    • Stage normalization with percentage mapping
    • Confetti animation on completion
    • Job status polling via API
    • LocalStorage persistence of job state
  • Result data includes: funnelUrl, builderUrl, locationId, funnelId
  • GHL builder URL format: https://app.gohighlevel.com/v2/location/{locationId}/funnels-websites/funnels/{funnelId}/

Console Errors & Warnings

  1. WebSocket SSL Error: ERR_SSL_UNRECOGNIZED_NAME_ALERT for wss://ws.app.theagencytoolkit.com — real-time features are broken
  2. Livewire Assets Outdated: Persistent warning about published assets being out of date
  3. User ID Not Found: Cannot initialize real-time notifications
  4. 419 CSRF Error: Token expiration during session
  5. Livewire Entangle Errors: Properties data.message and data.attachment not found on support question component

Security-Relevant Observations

  1. GHL Credentials Proxied: The app acts as a credential proxy — users enter GHL email/password directly into SuperFunnels AI's modal, which then authenticates server-side
  2. "Remember my session (encrypted)" — stores GHL session data encrypted server-side
  3. Session tokens captured: Multiple token types stored (refresh_token, sessionToken, backendAuthToken, lcApiAuthToken, apiKey)
  4. CSRF protection: Present (OLq1l8a2zSmvCVKh9pE4lfldQC8MMarc0sakjTUQ)
  5. WebSocket domain mismatch: app.theagencytoolkit.com vs app.superfunnelsai.com — suggests rebranding or shared infrastructure
  6. Horizon accessible (returned 403, not 404) — Laravel Horizon exists
  7. Log-viewer accessible (returned 403, not 404) — Log viewer exists
  8. No rate limiting observed on GHL login attempts

What Would Happen If GHL Was Connected

Based on the tutorial video, marketing site, and code analysis, the full funnel creation flow would be:

Step 1: Template Selection

  • Choose from 500+ pre-built funnel templates
  • Or "Clone an Existing Funnel" by providing a GHL funnel URL
  • Templates categorized by industry/use case

Step 2: Business Information (The Wizard Form)

  1. Enter Business Name (required for AI)
  2. Enter Business Description (required for AI)
  3. Click "FILL THE REST WITH AI" — AI auto-generates:
    • Business niche
    • Target audience ("Who is it for?")
    • Offering description
    • Value proposition
    • Differentiators ("Why choose you?")
    • Call to action text
    • Tone of voice
  4. User can edit any AI-generated field
  5. Click "Let's GO! 🚀"

Step 3: AI Content Generation

  • AI rewrites all template copy using the business information
  • All copy is made unique and brand-specific
  • Progress tracked in real-time via topbar

Step 4: Deployment to GHL

  • Funnel is created directly in the user's GHL sub-account
  • Progress shown: queued → running → completed
  • On completion: confetti animation + link to open funnel in GHL builder
  • Funnel accessible at: https://app.gohighlevel.com/v2/location/{locationId}/funnels-websites/funnels/{funnelId}/

Blocker Summary

Blocker Impact Workaround
GHL Connection Required HARD BLOCK — Cannot access Funnel Wizard Need valid GHL credentials
Free Plan (0 tokens) Would limit funnel creation even if connected Upgrade to paid plan
WebSocket Errors Real-time notifications don't work Non-blocking, page can still function

The GHL connection is a true server-side gate — not just a frontend check. The /app/funnel-cloner route returns a 302 redirect to /app when GHL session is not active. There is no client-side bypass possible.

Files & Screenshots

File Description
step01-dashboard-ghl-connect.png Dashboard with GHL connection prompt (sidebar visible)
step02-ghl-login-modal.png GHL login modal (empty)
step03-ghl-required-toast.png Toast notification: "HighLevel Connection Required"
step04-connect-ghl-full.png Full connection page with sidebar collapsed
step05-user-settings.png User settings page showing account details
step06-subscription-plans.png Full pricing page with 4 tiers
step07-funnel-builds-empty.png Empty funnel builds page
step08-templates-empty.png Empty templates page
step09-import-templates-upgrade.png Import templates - upgrade required
step10-ghl-login-filled.png GHL login modal with credentials entered
step11-ghl-login-invalid.png GHL login error: "Invalid email or password"
step12-support-faq.png Support FAQ page
step13-tutorials-modal.png Tutorials modal showing 4 videos
step14-tutorial-video-showing-wizard.png Video thumbnail revealing the funnel wizard form

Key Takeaways

  1. SuperFunnels AI is fundamentally a GHL integration tool — it cannot function standalone
  2. The AI wizard collects 9 fields of business data — 2 required, 7 optional (auto-fillable by AI)
  3. Revenue model is one-time credit purchases ($0-$1,297) — not subscriptions
  4. The Chrome extension captures multiple GHL auth tokens — refresh, session, backend auth, LC API auth, and API key
  5. Developer is Code & Beans AB (Sweden), contact: nils@codeandbeans.se
  6. WebSocket infrastructure uses theagencytoolkit.com domain — separate from main app domain
  7. Tutorial video URL: https://www.youtube.com/watch?v=WVuQzcg1fs0 — shows complete wizard
  8. The app has multiple infrastructure issues — broken WebSockets, outdated Livewire assets, CSRF token expiration