laravel
Warn
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the
laravel/boostpackage via Composer. This is an external dependency from a source not explicitly verified as trusted, which could lead to supply chain attacks if the package name is typosquatted or the registry is compromised. - [COMMAND_EXECUTION]: The skill instructs the user to execute
php artisan boost:install. This command runs code provided by the external package, allowing for arbitrary execution on the host system during setup. - [REMOTE_CODE_EXECUTION]: The combination of downloading an unverified package and running its installation command creates a vector for remote code execution.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it is designed to interact with and process Laravel project files while having the capability to execute shell commands. 1. Ingestion points: Laravel project source files (controllers, models, routes). 2. Boundary markers: None identified in the provided skill content. 3. Capability inventory: Execution of Artisan shell commands. 4. Sanitization: No evidence of input validation or sanitization for the project files being processed.
Audit Metadata