Laravel Forge
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a coherent Laravel Forge API wrapper, but it gives an agent broad power to change, delete, deploy, and run commands on infrastructure without documented safety gates.
Use this only if you intentionally want the agent to manage Laravel Forge resources. Before enabling it, verify the script, store the API token securely, set the intended organization explicitly, and require human review for deletes, deployments, service restarts, config changes, team/role changes, and any site command execution.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent invokes the wrong command or targets the wrong organization/server, it could interrupt services or delete infrastructure.
The wrapper can directly delete Forge servers and start/stop/restart production services through API calls. The artifacts do not show confirmation prompts, dry-run mode, approval requirements, or rollback guidance for these high-impact operations.
delete) ... api DELETE "/orgs/$org/servers/$1" ;; ... services: nginx <server-id> --action start|stop|restart
Install only if you want the agent to manage Forge infrastructure. Use a least-privilege token if Forge supports it, set an explicit organization, and require manual approval before destructive or production-changing commands.
A mistaken or overly broad agent action could run commands against a live site, potentially changing files, secrets, or application state.
The skill advertises a Forge-backed command-running capability for sites. That is powerful and purpose-related, but the provided instructions do not document constraints or approval safeguards for remote command execution.
| `commands` | Run commands on sites |
Treat any site command execution as production shell access. Review the exact command, site, and server before allowing the agent to run it.
Anyone or any agent process with access to the token can act through the Forge API within that token's permissions.
The Forge API token requirement is clearly disclosed and expected for this integration, but it gives the skill delegated authority over Forge resources available to that token.
credentials: primary: env: LARAVEL_FORGE_API_TOKEN ... file: ~/.openclaw/credentials/laravel-forge/config.json
Use the narrowest token available, store it securely, avoid sharing it in chat, and rotate it if you suspect exposure.
It may be harder to verify maintenance history, upstream ownership, or whether this wrapper matches the intended project.
The artifacts include the script source, but the registry entry does not provide an upstream source or homepage. This is a provenance gap for a skill that handles cloud infrastructure credentials.
Source: unknown; Homepage: none
Review the bundled script before use and prefer installing infrastructure-management skills from a source you can verify.