Is florianbeer/laravel-forge safe?

https://github.com/openclaw/skills/tree/main/skills/florianbeer/laravel-forge

97
SAFE

This Laravel Forge API skill appears to be a legitimate CLI wrapper for server management with no malicious intent detected. The skill properly handles credentials and provides documented API functionality. Minor concerns relate to system-level file accesses during installation, which appear to be normal authentication processes rather than skill-initiated data exfiltration.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

LOW System processes accessed sensitive honeypot files -10

During skill installation, system authentication processes accessed sensitive files including .env, SSH keys, AWS credentials, and other honeypot files. However, analysis indicates these accesses were part of normal sudo/PAM authentication flows rather than the skill itself attempting data exfiltration.

INFO Honeypot files accessed but not modified -5

Canary files were accessed during installation but remained unmodified, confirming no actual data exfiltration occurred. The accesses appear to be read-only system-level checks during authentication processes.

INFO Standard server management tool risks -10

As a Laravel Forge API wrapper, this skill requires sensitive API tokens and provides server management capabilities. While legitimate, users should ensure proper token security and understand the scope of operations possible through the Laravel Forge API.