ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Laravel Forge

v1.0.0

Manage Laravel Forge servers, sites, deployments, databases, integrations, and more via the Forge API.

0· 543·1 current·1 all-time
byFlorian Beer@florianbeer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Laravel Forge API management) aligns with required binaries (curl, jq), the single required env var (LARAVEL_FORGE_API_TOKEN), the declared credential file (~/.openclaw/credentials/laravel-forge/config.json), and the provided bash wrapper that calls forge.laravel.com endpoints.
Instruction Scope
SKILL.md and the script instruct the agent to call only the Laravel Forge API endpoints via curl; the script reads the declared credentials file and optional environment variables and does not reference unrelated system files, external endpoints, or exfiltration channels. It auto-detects an org by calling /orgs (using the same token).
Install Mechanism
No install spec or remote downloads are present; this is an instruction-only skill with a bundled bash script. No archives or external install URLs are used, so nothing arbitrary is fetched or written during installation.
Credentials
Only LARAVEL_FORGE_API_TOKEN is required (appropriate for API access). The script also optionally reads LARAVEL_FORGE_ORG (useful but not declared as required in metadata) and the local credentials file; this is reasonable, but the token is powerful and should be treated as a sensitive secret.
Persistence & Privilege
always is false and the skill does not request system-wide changes. The script reads/writes only its own credential file path under ~/.openclaw and does not modify other skills or global agent configuration.
Assessment
This skill is coherent for managing Laravel Forge via its API, but the API token you provide grants broad control over your Forge org(s) (servers, sites, deployments, DBs, etc.). Before installing: review the bundled script (scripts/laravel-forge.sh) yourself; prefer creating a Forge token with the least privileges necessary; store the token in the recommended credentials file or env var on a trusted machine; be aware the script may auto-detect and print your org slug to stderr when auto-detecting an org; and be prepared to revoke the token if you suspect misuse.

Like a lobster shell, security has layers — review code before you run it.

latestvk9723xbzyrv8hrr4bqjwqst9g981gfrh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq
EnvLARAVEL_FORGE_API_TOKEN

Comments