Laravel Cloud
Security checks across malware telemetry and agentic risk
Overview
This appears to be a legitimate Laravel Cloud tool, but it should be reviewed because it can use your cloud token to change or delete infrastructure and run application commands.
Install only if you want the agent to manage Laravel Cloud infrastructure. Prefer a limited or non-production token when possible, verify resource IDs carefully, and require explicit approval before destructive changes, deployments, variable replacement, database/storage actions, or running commands.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad agent action could delete cloud resources, cause downtime, alter production configuration, or run damaging Laravel commands.
The wrapper sends destructive DELETE requests and remote command-run requests directly when invoked; the visible code does not show a confirmation, dry-run, or approval gate for these high-impact operations.
delete) [[ ${1:-} ]] || die "app-id required"; api DELETE "/applications/$1" ;; ... api POST "/environments/$id/commands" "$(jb command="$c")"Use this only when you want the agent to manage Laravel Cloud infrastructure, and require explicit user approval before delete, stop/start, deployment, variable replacement, database, storage-key, or command-run actions.
Anyone or any agent action using this skill with the token can perform whatever Laravel Cloud operations that token allows.
The skill requires a Laravel Cloud API token and can read it from a persistent local credential file, which is appropriate for the integration but grants account-level cloud authority.
requires: env: [LARAVEL_CLOUD_API_TOKEN] ... file: ~/.openclaw/credentials/laravel-cloud/config.json
Use the least-privileged token available, store it securely, avoid sharing it in chat, and revoke or rotate it when no longer needed.
Secrets, logs, or operational details could be exposed in the conversation or over-trusted by the agent if retrieved unnecessarily.
The skill can retrieve or manipulate logs, environment variables, and storage keys; these API responses or command arguments may place sensitive operational data or untrusted log text into the agent context.
`envs` | ... metrics, logs, vars-add, vars-replace ... `bucket-keys` | list, get, create, update, delete
Only request logs, environment variables, and keys when needed; redact sensitive output and do not treat application log text as instructions.