Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Laravel Docs Reader
v1.0.0Provides instant Laravel documentation, auto-detects project version, generates PSR-12 Laravel code, and highlights differences across Laravel 10 to 12 versi...
⭐ 0· 63·0 current·0 all-time
byGao.QiLin@relunctance
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims a CLI tool (php scripts/laradoc.php), local doc caching, and a .github auto-update workflow, but the provided package (manifest) contains only documentation files and reference markdowns — no scripts/laradoc.php, no .github workflow file, and no executable code. The stated capabilities (version-aware docs, code generation CLI) would normally require the CLI script or code to be present; that mismatch is unexplained and worth investigation.
Instruction Scope
SKILL.md instructs the agent to auto-detect Laravel by reading composer.json and vendor files and to run `php artisan --version` (via shell_exec in the reference). Those actions are proportional to version detection and doc selection. However, executing `php artisan` boots the application and can run user code (service providers, bootstrapping) that may have side effects; the skill's instructions do not warn about that. The instructions do not request unrelated files or credentials, and network interactions are limited to an optional GitHub auto-update flow.
Install Mechanism
This is an instruction-only skill with no install spec and no downloads or third-party packages declared. That lowers installation risk. (Note: the SKILL.md references auto-PR GitHub Actions, but no workflow file is present in the package.)
Credentials
The skill requests no environment variables or credentials — appropriate for a documentation helper. One thing to note: the auto-update feature (GitHub Actions auto-PR) requires repository/workflow access to function in practice, but the skill does not request tokens; if you enable auto-update later you would need to grant a repo token. Also, reading project files and running `php artisan` can access app configuration and may indirectly surface sensitive config if the agent prints it — the skill does not request secrets but may access files in the project workspace.
Persistence & Privilege
The skill does not request always:true, does not require persistent system-wide changes, and does not claim to modify other skills. Autonomous invocation is allowed (platform default) — combine that with the notes above about executing `php artisan` when deciding whether to enable autonomous runs.
What to consider before installing
This skill appears to be a well-documented Laravel docs helper, but before installing: 1) Confirm provenance — the package lists a CLI script (scripts/laradoc.php) and a GitHub Actions workflow but those files are not present in the manifest you were given. That could mean the skill is incomplete or the code was removed; ask the publisher for the actual code or a canonical repo. 2) Understand runtime behavior — the skill's version detection runs file reads (composer.json, vendor files) and may run `php artisan --version`. Running artisan boots application code which can have side effects; run the skill in a safe/test workspace first. 3) If you plan to enable auto-update/auto-PR behavior, review and control the GitHub token/workflow that would perform those actions. 4) Prefer skills that include the actual CLI/script code (or a trustworthy upstream repo) so you can audit what will run; if the author cannot provide the missing script files or a trustworthy source, treat the skill as incomplete and avoid giving it autonomous execution rights.Like a lobster shell, security has layers — review code before you run it.
docsvk97362c2aefnrmqan0qkcqe8gn83rwrblaravelvk97362c2aefnrmqan0qkcqe8gn83rwrblatestvk97362c2aefnrmqan0qkcqe8gn83rwrbreferencevk97362c2aefnrmqan0qkcqe8gn83rwrb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.