ClawHub

Laravel Docs Reader

Security checks across malware telemetry and agentic risk

Overview

This is a Laravel documentation helper with visible, purpose-aligned version checks and examples, and no evidence of hidden collection, persistence, or destructive behavior.

Safe to install as a Laravel reference skill. Use it in trusted Laravel project directories, review generated code before applying it, and inspect the external GitHub repository before running any separate cloned PHP script or token-based publish command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation section says the skill activates and then detects project version, maps requests, and returns code/examples, but it does not clearly define when it should trigger or what actions require explicit user intent. In an agent setting, ambiguous trigger scope can cause the skill to engage on broad Laravel-related prompts and influence behavior beyond simple documentation lookup, increasing the chance of unintended actions or overreach.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README advertises code generation but does not warn that generation may create files, overwrite existing paths, or produce code that an agent might apply automatically. In an agent environment, presenting generation as a routine feature without modification warnings can lead to unauthorized workspace changes or unsafe assumptions about write operations.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The documented update command implies a cache refresh from GitHub but does not warn users that it performs network access and updates local cached content. In agent workflows, undisclosed network retrieval can violate expected offline/read-only behavior and introduce unreviewed external content into the environment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal