ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Laravel Cloud

v1.2.2

Manage Laravel Cloud infrastructure via API — apps, environments, deployments, databases, caches, domains, scaling, commands, storage, and WebSockets.

4· 836·1 current·1 all-time
byFlorian Beer@florianbeer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe a Laravel Cloud API wrapper and the skill only requires curl, jq, and a Laravel Cloud API token. The provided bash script implements API calls to cloud.laravel.com and exposes the resources/actions listed in the README — this is coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to use an API token or a credentials file located under ~/.openclaw/credentials/laravel-cloud/config.json; the script reads exactly that path and the LARAVEL_CLOUD_API_TOKEN env var. The script only constructs HTTP requests to the Laravel Cloud API. Note: the skill includes actions that run remote commands (e.g., 'commands run' to execute artisan on an environment) and can change environment variables/deployments — this is expected for an infra management tool but is powerful on the target infrastructure.
Install Mechanism
There is no install spec; the skill is instruction + a local bash script. No downloads from remote URLs or package installers are used. This minimal approach reduces install-time risk.
Credentials
Only LARAVEL_CLOUD_API_TOKEN is required (and an optional local credentials file). No unrelated credentials, system-wide config paths, or other secrets are requested. The script optionally supports resolving op:// 1Password references if the 'op' binary is present, but it does not require 'op' to be installed.
Persistence & Privilege
always:false (default) and the skill does not request persistent system-wide privileges or modify other skills' configs. It only reads/stores credentials in its own declared credentials path.
Assessment
This skill appears to do exactly what it says: it's a bash CLI wrapper that calls the Laravel Cloud REST API. Before installing, be aware that the provided API token grants full API access to your Laravel Cloud account (ability to change env vars, trigger deployments, run commands, create/delete resources). Only supply a token with the minimum required scope, store it securely, and consider rotating/revoking the token after use. Verify you trust the skill author/source (the package comes with a script file — review it locally). Note: the script will attempt to resolve op:// 1Password references if the 'op' CLI is present, but 'op' is not required; this is optional convenience, not malicious. If you need stricter controls, create a limited-scope API token in Laravel Cloud rather than using an account-wide token.

Like a lobster shell, security has layers — review code before you run it.

latestvk972tqrpwcbhkj3c2jww6asqjd821hje

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq
EnvLARAVEL_CLOUD_API_TOKEN

Comments