jake/clawdbot-workspace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
clawdbot-workspace/pentest-superfunnels/FUNNEL-CREATION-REPORT.md
Jake Shore 16db42bf7e Daily backup: 2026-02-06
2026-02-06 23:01:30 -05:00

295 lines
15 KiB
Markdown
Raw Blame History

# SuperFunnels AI — Funnel Creation Walkthrough Report
**Date:** February 6, 2026
**Researcher:** Automated walkthrough via Clawdbot
**Account:** jake@burtonmethod.com (logged in as Jake Shore)
**Account Email on File:** sftesta6577921@virgilian.com
**Plan:** Free ($0, 3 credits, limited to 1 GHL account)
**Tokens Balance:** 0
---
## Executive Summary
SuperFunnels AI is a HighLevel (GHL) funnel cloning/generation tool built on Laravel/Filament with Livewire components. **The Funnel Wizard is completely gated behind GoHighLevel account connection** — without valid GHL credentials, you cannot access any funnel creation functionality. The app requires both GHL API connection AND a login session (browser-based) to function.
The funnel creation wizard (visible via tutorial video thumbnail) collects business information and uses AI to generate funnel copy, then deploys directly to GHL.
---
## Step-by-Step Walkthrough
### Step 1: Login (Already Authenticated)
- **URL:** `https://app.superfunnelsai.com/app/login`
- **Result:** Session was already active from previous exploration. Redirected to dashboard.
- **Screenshot:** `step01-dashboard-ghl-connect.png`
### Step 2: Dashboard — GHL Connection Required
- **URL:** `https://app.superfunnelsai.com/app`
- **What's shown:** "Quick Setup" page with "Connect Your HighLevel Account" as the primary CTA
- **Two connection methods offered:**
1. **Chrome Extension** (1-Click Connect) — installs `dollonnbdephinbelejjjjeidfcncfod` extension
2. **HighLevel Login Credentials** — opens a modal to enter GHL email/password
- **Screenshot:** `step04-connect-ghl-full.png`
- **Key observation:** The entire app is essentially non-functional without GHL connection
### Step 3: GHL Login Modal
- **Triggered by:** "Use HighLevel Login Credentials →" button
- **Modal fields:**
- GoHighLevel Email (placeholder: you@agency.com)
- Password (placeholder: ••••••••)
- Checkbox: "Remember my session (encrypted)" (checked by default)
- Red warning text: "Login to your HighLevel account to continue."
- **API endpoint:** `POST /api/ghl-session/login`
- **Screenshot:** `step02-ghl-login-modal.png`
### Step 4: GHL Login Attempt (Failed)
- **Entered:** jake@burtonmethod.com / FMQ-gbd6qxb@zmb6mbt (SuperFunnels credentials, NOT GHL)
- **Result:** "Invalid email or password" — correctly rejects non-GHL credentials
- **Screenshot:** `step11-ghl-login-invalid.png`
- **Key insight:** The system proxies login to GoHighLevel's auth system, NOT its own
### Step 5: Funnel Wizard Navigation (Blocked)
- **URL attempted:** `https://app.superfunnelsai.com/app/funnel-cloner`
- **Result:** Server-side redirect back to `https://app.superfunnelsai.com/app` (dashboard)
- **Toast notification:** "HighLevel Connection Required — Before you can start creating magic, you need to authorize your HighLevel login session"
- **Screenshot:** `step03-ghl-required-toast.png`
### Step 6: User Settings
- **URL:** `https://app.superfunnelsai.com/app/user-settings`
- **Accessible:** ✅ Yes
- **Data shown:**
- Name: Jake Shore
- Email: sftesta6577921@virgilian.com
- Password: (empty, "Leave empty to keep current")
- **Screenshot:** `step05-user-settings.png`
- **Finding:** The displayed email differs from login email — account uses auto-generated email
### Step 7: Subscription Management / Plans & Billing
- **URL:** `https://app.superfunnelsai.com/app/subscription-management`
- **Accessible:** ✅ Yes
- **Plans visible (all one-time pricing, not subscriptions):**
| Plan | Price | Credits | GHL Accounts | Key Features |
|------|-------|---------|-------------|--------------|
| **Free** (Current) | $0 | 3 | 1 | 3 pre-selected templates |
| **Starter** | $297 (was $597) | 100 | 1 | 500+ template library, AI copywriting |
| **Agency** (Most Popular) | $497 (was $997) | 1000 | 100 | Import any template, Super Editor license |
| **Founder's Lifetime Deal** | $1,297 (was $2,997) | 1500 | Unlimited | White label, VIP support, 24 left |
- **Screenshot:** `step06-subscription-plans.png`
### Step 8: Funnel Builds
- **URL:** `https://app.superfunnelsai.com/app/funnel-builds`
- **Accessible:** ✅ Yes
- **Content:** "No builds yet." — empty state
- **Screenshot:** `step07-funnel-builds-empty.png`
### Step 9: My Templates
- **URL:** `https://app.superfunnelsai.com/app/ghl-templates`
- **Accessible:** ✅ Yes
- **Content:** "No Templates" — empty state with search/filter
- **Screenshot:** `step08-templates-empty.png`
### Step 10: Import GHL Templates
- **URL:** `https://app.superfunnelsai.com/app/ghl-templates/import`
- **Accessible:** ✅ Yes (page loads)
- **Content:** "Upgrade required — Want to import your own templates? Upgrade to get access."
- **Screenshot:** `step09-import-templates-upgrade.png`
### Step 11: Support / FAQ
- **URL:** `https://app.superfunnelsai.com/app/support/get-support`
- **Accessible:** ✅ Yes
- **FAQ content:**
- Authentication requires GHL API connection + login session
- "You need to use the exact same credentials you used to login to HighLevel"
- Template import not available on all plans
- **Screenshot:** `step12-support-faq.png`
### Step 12: Tutorials Modal
- **4 tutorial videos available:**
1. "Connecting Super Funnels AI with HighLevel" (Getting Started)
2. "Creating a HighLevel funnel or website in Super Funnels AI" (Getting Started)
3. "Importing HighLevel templates to your Super Funnels AI account" (Getting Started)
4. "Importing a template from any HighLevel link" (Getting Started)
- **Screenshot:** `step13-tutorials-modal.png`
### Step 13: Tutorial Video — Funnel Creation Wizard Revealed
- **Video URL:** `https://www.youtube.com/watch?v=WVuQzcg1fs0`
- **Title:** "Creating a HighLevel funnel or website in Super Funnels AI"
- **Screenshot:** `step14-tutorial-video-showing-wizard.png`
The video thumbnail clearly shows the **Funnel Creation Wizard Form** with these fields:
| Field | Required | Placeholder/Description |
|-------|----------|------------------------|
| **Business Name** | MANDATORY FOR AI | "Name of the business" |
| **Business Description** | MANDATORY FOR AI | "Describe the business in 2-3 sentences" |
| **"FILL THE REST WITH AI" button** | N/A | Auto-fills remaining fields from name + description |
| **Business niche** | Optional | "e.g., Local Bakery, Digital Marketing Agency, Fitness Studio, Restaurant, Law Firm" |
| **Who is it for?** | Optional | "Describe the niche, role, or demographic you're targeting" |
| **What are you offering?** | Optional | "Summarize the offer, service or product" |
| **Value proposition** | Optional | "Explain the main problem you solve and the outcome you promise" |
| **Why choose you?** | Optional | "Mention differentiators, proof, guarantees, awards, etc." |
| **Call to action** | Optional | "e.g., Book a consult, Start free trial, Claim your seat" |
| **Tone of Voice** | Optional | (visible but placeholder cut off) |
| **Back / Let's GO! 🚀** | N/A | Navigation buttons |
---
## Technical Architecture & Findings
### Tech Stack
- **Framework:** Laravel (PHP) with Filament admin panel
- **Frontend:** Livewire (server-side rendering) + Alpine.js + React (for GHL login modal)
- **Build tool:** Vite (app-CQli-r76.js bundle)
- **Real-time:** Laravel Echo + WebSockets (attempting `wss://ws.app.theagencytoolkit.com`)
- **CSS:** Tailwind CSS
- **Hosting:** Cloudflare (CDN/proxy)
- **Domain:** app.superfunnelsai.com (note: WebSocket domain is `app.theagencytoolkit.com`)
### API Endpoints Discovered
| Endpoint | Method | Purpose |
|----------|--------|---------|
| `/api/ghl-session/login` | POST | Authenticate GHL credentials (proxied to GHL auth) |
| `/api/ghl-session/extension` | POST | Store session from Chrome extension SSO |
| `/api/funnel-clone/credentials` | DELETE | Forget stored GHL session |
| `/livewire/update` | POST | Livewire component updates |
| `/livewire/upload-file` | POST | File uploads |
### Chrome Extension Details
- **Extension ID:** `dollonnbdephinbelejjjjeidfcncfod`
- **Name:** Super Funnels AI SSO
- **Version:** 0.1.1
- **Size:** 19.22 KB
- **Developer:** Code & Beans AB (Swedish company)
- **Developer contact:** nils@codeandbeans.se, +46 70 629 05 80
- **Communication:** Uses `window.postMessage` with types:
- `GHL_EXTENSION_PING` (from app to extension)
- `GHL_EXTENSION_READY` (from extension to app)
- `GHL_EXTENSION_LOGIN_RESPONSE` (from extension to app)
- **Session data captured:** refresh_token, sessionToken, refreshedToken, backendAuthToken, lcApiAuthToken, apiKey, companyId, userId, userType, locationId
### GHL Session Flow
1. User clicks "Use HighLevel Login Credentials"
2. React modal opens with email/password fields
3. POST to `/api/ghl-session/login` with `{email, password, remember}`
4. Server proxies to GHL auth, may return:
- Success → page reloads, GHL connected
- 2FA required → OTP modal shown
- Account selection → multiple accounts picker shown
- Invalid credentials → error message
5. On success, encrypted session is stored server-side
6. All subsequent GHL operations use this stored session
### Funnel Clone Job System
The topbar shows a real-time progress tracker for funnel creation jobs:
- **States:** idle → queued → running → completed/failed/cancelled
- **Special state:** `awaiting_two_factor` (needs 2FA)
- **Progress stages tracked in JS:**
- Stage normalization with percentage mapping
- Confetti animation on completion
- Job status polling via API
- LocalStorage persistence of job state
- **Result data includes:** funnelUrl, builderUrl, locationId, funnelId
- **GHL builder URL format:** `https://app.gohighlevel.com/v2/location/{locationId}/funnels-websites/funnels/{funnelId}/`
### Console Errors & Warnings
1. **WebSocket SSL Error:** `ERR_SSL_UNRECOGNIZED_NAME_ALERT` for `wss://ws.app.theagencytoolkit.com` — real-time features are broken
2. **Livewire Assets Outdated:** Persistent warning about published assets being out of date
3. **User ID Not Found:** Cannot initialize real-time notifications
4. **419 CSRF Error:** Token expiration during session
5. **Livewire Entangle Errors:** Properties `data.message` and `data.attachment` not found on support question component
### Security-Relevant Observations
1. **GHL Credentials Proxied:** The app acts as a credential proxy — users enter GHL email/password directly into SuperFunnels AI's modal, which then authenticates server-side
2. **"Remember my session (encrypted)"** — stores GHL session data encrypted server-side
3. **Session tokens captured:** Multiple token types stored (refresh_token, sessionToken, backendAuthToken, lcApiAuthToken, apiKey)
4. **CSRF protection:** Present (`OLq1l8a2zSmvCVKh9pE4lfldQC8MMarc0sakjTUQ`)
5. **WebSocket domain mismatch:** `app.theagencytoolkit.com` vs `app.superfunnelsai.com` — suggests rebranding or shared infrastructure
6. **Horizon accessible** (returned 403, not 404) — Laravel Horizon exists
7. **Log-viewer accessible** (returned 403, not 404) — Log viewer exists
8. **No rate limiting observed** on GHL login attempts
---
## What Would Happen If GHL Was Connected
Based on the tutorial video, marketing site, and code analysis, the full funnel creation flow would be:
### Step 1: Template Selection
- Choose from 500+ pre-built funnel templates
- Or "Clone an Existing Funnel" by providing a GHL funnel URL
- Templates categorized by industry/use case
### Step 2: Business Information (The Wizard Form)
1. Enter **Business Name** (required for AI)
2. Enter **Business Description** (required for AI)
3. Click **"FILL THE REST WITH AI"** — AI auto-generates:
- Business niche
- Target audience ("Who is it for?")
- Offering description
- Value proposition
- Differentiators ("Why choose you?")
- Call to action text
- Tone of voice
4. User can edit any AI-generated field
5. Click **"Let's GO! 🚀"**
### Step 3: AI Content Generation
- AI rewrites all template copy using the business information
- All copy is made unique and brand-specific
- Progress tracked in real-time via topbar
### Step 4: Deployment to GHL
- Funnel is created directly in the user's GHL sub-account
- Progress shown: queued → running → completed
- On completion: confetti animation + link to open funnel in GHL builder
- Funnel accessible at: `https://app.gohighlevel.com/v2/location/{locationId}/funnels-websites/funnels/{funnelId}/`
---
## Blocker Summary
| Blocker | Impact | Workaround |
|---------|--------|------------|
| GHL Connection Required | **HARD BLOCK** — Cannot access Funnel Wizard | Need valid GHL credentials |
| Free Plan (0 tokens) | Would limit funnel creation even if connected | Upgrade to paid plan |
| WebSocket Errors | Real-time notifications don't work | Non-blocking, page can still function |
**The GHL connection is a true server-side gate** — not just a frontend check. The `/app/funnel-cloner` route returns a 302 redirect to `/app` when GHL session is not active. There is no client-side bypass possible.
---
## Files & Screenshots
| File | Description |
|------|-------------|
| `step01-dashboard-ghl-connect.png` | Dashboard with GHL connection prompt (sidebar visible) |
| `step02-ghl-login-modal.png` | GHL login modal (empty) |
| `step03-ghl-required-toast.png` | Toast notification: "HighLevel Connection Required" |
| `step04-connect-ghl-full.png` | Full connection page with sidebar collapsed |
| `step05-user-settings.png` | User settings page showing account details |
| `step06-subscription-plans.png` | Full pricing page with 4 tiers |
| `step07-funnel-builds-empty.png` | Empty funnel builds page |
| `step08-templates-empty.png` | Empty templates page |
| `step09-import-templates-upgrade.png` | Import templates - upgrade required |
| `step10-ghl-login-filled.png` | GHL login modal with credentials entered |
| `step11-ghl-login-invalid.png` | GHL login error: "Invalid email or password" |
| `step12-support-faq.png` | Support FAQ page |
| `step13-tutorials-modal.png` | Tutorials modal showing 4 videos |
| `step14-tutorial-video-showing-wizard.png` | Video thumbnail revealing the funnel wizard form |
---
## Key Takeaways
1. **SuperFunnels AI is fundamentally a GHL integration tool** — it cannot function standalone
2. **The AI wizard collects 9 fields of business data** — 2 required, 7 optional (auto-fillable by AI)
3. **Revenue model is one-time credit purchases** ($0-$1,297) — not subscriptions
4. **The Chrome extension captures multiple GHL auth tokens** — refresh, session, backend auth, LC API auth, and API key
5. **Developer is Code & Beans AB** (Sweden), contact: nils@codeandbeans.se
6. **WebSocket infrastructure uses `theagencytoolkit.com`** domain — separate from main app domain
7. **Tutorial video URL:** https://www.youtube.com/watch?v=WVuQzcg1fs0 — shows complete wizard
8. **The app has multiple infrastructure issues** — broken WebSockets, outdated Livewire assets, CSRF token expiration
Reference in New Issue View Git Blame Copy Permalink