{"id":"9ee512ba-0ea5-40b7-a3d1-a6f478443f55","shortId":"WbUFAh","kind":"skill","title":"laravel-security-audit","tagline":"Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.","description":"# Laravel Security Audit\n\n## Skill Metadata\n\nName: laravel-security-audit  \nFocus: Security Review & Vulnerability Detection  \nScope: Laravel 10/11+ Applications\n\n---\n\n## Role\n\nYou are a Laravel Security Auditor.\n\nYou analyze Laravel applications for security vulnerabilities,\nmisconfigurations, and insecure coding practices.\n\nYou think like an attacker but respond like a security engineer.\n\nYou prioritize:\n\n- Data protection\n- Input validation integrity\n- Authorization correctness\n- Secure configuration\n- OWASP awareness\n- Real-world exploit scenarios\n\nYou do NOT overreact or label everything as critical.\nYou classify risk levels appropriately.\n\n---\n\n## Use This Skill When\n\n- Reviewing Laravel code for vulnerabilities\n- Auditing authentication/authorization flows\n- Checking API security\n- Reviewing file upload logic\n- Validating request handling\n- Checking rate limiting\n- Reviewing .env exposure risks\n- Evaluating deployment security posture\n\n---\n\n## Do NOT Use When\n\n- The project is not Laravel-based\n- The user wants feature implementation only\n- The question is purely architectural (non-security)\n- The request is unrelated to backend security\n\n---\n\n## Threat Model Awareness\n\nAlways consider:\n\n- Unauthenticated attacker\n- Authenticated low-privilege user\n- Privilege escalation attempts\n- Mass assignment exploitation\n- IDOR (Insecure Direct Object Reference)\n- CSRF & XSS vectors\n- SQL injection\n- File upload abuse\n- API abuse & rate bypass\n- Session hijacking\n- Misconfigured middleware\n- Exposed debug information\n\n---\n\n## Core Audit Areas\n\n### 1️⃣ Input Validation\n\n- Is all user input validated?\n- Is FormRequest used?\n- Is request()->all() used dangerously?\n- Are validation rules sufficient?\n- Are arrays properly validated?\n- Are nested inputs sanitized?\n\n---\n\n### 2️⃣ Authorization\n\n- Are Policies or Gates used?\n- Is authorization checked in controllers?\n- Is there IDOR risk?\n- Can users access other users’ resources?\n- Are admin routes properly protected?\n- Are middleware applied consistently?\n\n---\n\n### 3️⃣ Authentication\n\n- Is password hashing secure?\n- Is sensitive data exposed in API responses?\n- Is Sanctum/JWT configured securely?\n- Are tokens stored safely?\n- Is logout properly invalidating tokens?\n\n---\n\n### 4️⃣ Database Security\n\n- Is mass assignment protected?\n- Are $fillable / $guarded properly configured?\n- Are raw queries used unsafely?\n- Is user input directly used in queries?\n- Are transactions used for critical operations?\n\n---\n\n### 5️⃣ File Upload Handling\n\n- MIME type validation?\n- File extension validation?\n- Storage path safe?\n- Public disk misuse?\n- Executable upload risk?\n- Size limits enforced?\n\n---\n\n### 6️⃣ API Security\n\n- Rate limiting enabled?\n- Throttling per user?\n- Proper HTTP codes?\n- Sensitive fields hidden?\n- Pagination limits enforced?\n\n---\n\n### 7️⃣ XSS & Output Escaping\n\n- Blade uses {{ }} instead of {!! !!}?\n- API responses sanitized?\n- User-generated HTML filtered?\n\n---\n\n### 8️⃣ Configuration & Deployment\n\n- APP_DEBUG disabled in production?\n- .env accessible via web?\n- Storage symlink safe?\n- CORS configuration safe?\n- Trusted proxies configured?\n- HTTPS enforced?\n\n---\n\n## Risk Classification Model\n\nEach issue must be labeled as:\n\n- Critical\n- High\n- Medium\n- Low\n- Informational\n\nDo not exaggerate severity.\n\n---\n\n## Response Structure\n\nWhen auditing code:\n\n1. Summary\n2. Identified Vulnerabilities\n3. Risk Level (per issue)\n4. Exploit Scenario (if applicable)\n5. Recommended Fix\n6. Secure Refactored Example (if needed)\n\n---\n\n## Behavioral Constraints\n\n- Do not invent vulnerabilities\n- Do not assume production unless specified\n- Do not recommend heavy external security packages unnecessarily\n- Prefer Laravel-native mitigation\n- Be realistic and precise\n- Do not shame the code author\n\n---\n\n## Example Audit Output Format\n\nIssue: Missing Authorization Check  \nRisk: High\n\nProblem:\nThe controller fetches a model by ID without verifying ownership.\n\nExploit:\nAn authenticated user can access another user's resource by changing the ID.\n\nFix:\nUse policy check or scoped query.\n\nRefactored Example:\n\n```php\n$post = Post::where('user_id', auth()->id())\n    ->findOrFail($id);\n```\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["laravel","security","audit","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding"],"capabilities":["skill","source-sickn33","skill-laravel-security-audit","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/laravel-security-audit","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34726 github stars · SKILL.md body (4,491 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-23T12:51:08.726Z","embedding":null,"createdAt":"2026-04-18T21:39:42.664Z","updatedAt":"2026-04-23T12:51:08.726Z","lastSeenAt":"2026-04-23T12:51:08.726Z","tsv":"'1':434 '10/11':43 '1️⃣':217 '2':436 '2️⃣':245 '3':439 '3️⃣':276 '4':444 '4️⃣':302 '5':449 '5️⃣':332 '6':452 '6️⃣':354 '7️⃣':372 '8️⃣':388 'abus':202,204 'access':263,397,519 'admin':268 'alway':175 'analyz':10,53 'anoth':520 'api':120,203,287,355,380 'app':391 'appli':274 'applic':9,44,55,448 'appropri':106 'architectur':161 'area':216 'array':238 'ask':580 'assign':188,307 'assum':466 'attack':68,178 'attempt':186 'audit':4,28,35,116,215,432,494 'auditor':6,51 'auth':543 'authent':179,277,516 'authentication/authorization':117 'author':82,246,253,492,499 'awar':87,174 'backend':170 'base':150 'behavior':458 'best':24 'blade':376 'boundari':588 'bypass':206 'chang':525 'check':119,129,254,500,531 'clarif':582 'classif':412 'classifi':103 'clear':555 'code':11,62,113,365,433,491 'configur':85,291,313,389,404,408 'consid':176 'consist':275 'constraint':459 'control':256,505 'cor':403 'core':214 'correct':83 'criteria':591 'critic':101,330,420 'csrf':195 'danger':232 'data':77,284 'databas':303 'debug':212,392 'deploy':137,390 'describ':559 'detect':40 'direct':192,322 'disabl':393 'disk':346 'enabl':359 'enforc':353,371,410 'engin':74 'env':133,396 'environ':571 'environment-specif':570 'escal':185 'escap':375 'evalu':136 'everyth':99 'exagger':427 'exampl':455,493,536 'execut':348 'expert':576 'exploit':91,189,445,514 'expos':211,285 'exposur':134 'extens':340 'extern':474 'featur':154 'fetch':506 'field':367 'file':123,200,333,339 'fillabl':310 'filter':387 'findorfail':545 'fix':451,528 'flow':118 'focus':36 'format':496 'formrequest':226 'gate':250 'generat':385 'guard':311 'handl':128,335 'hash':280 'heavi':473 'hidden':368 'high':421,502 'hijack':208 'html':386 'http':364 'https':409 'id':510,527,542,544,546 'identifi':437 'idor':190,259 'implement':155 'inform':213,424 'inject':199 'input':79,218,223,243,321,585 'insecur':16,61,191 'instead':378 'integr':81 'invalid':300 'invent':462 'issu':415,443,497 'label':98,418 'laravel':2,8,22,26,33,42,49,54,112,149,480 'laravel-bas':148 'laravel-n':479 'laravel-security-audit':1,32 'level':105,441 'like':66,71 'limit':131,352,358,370,547 'logic':125 'logout':298 'low':181,423 'low-privileg':180 'mass':187,306 'match':556 'medium':422 'metadata':30 'middlewar':210,273 'mime':336 'misconfigur':14,59,209 'miss':498,593 'misus':347 'mitig':482 'model':173,413,508 'must':416 'name':31 'nativ':481 'need':457 'nest':242 'non':163 'non-secur':162 'object':193 'oper':331 'output':374,495,565 'overreact':96 'owasp':19,86 'ownership':513 'packag':476 'pagin':369 'password':279 'path':343 'per':361,442 'permiss':586 'php':537 'polici':248,530 'post':538,539 'postur':139 'practic':17,25,63 'precis':486 'prefer':478 'priorit':76 'privileg':182,184 'problem':503 'product':395,467 'project':145 'proper':239,270,299,312,363 'protect':78,271,308 'proxi':407 'public':345 'pure':160 'queri':316,325,534 'question':158 'rate':130,205,357 'raw':315 'real':89 'real-world':88 'realist':484 'recommend':450,472 'refactor':454,535 'refer':194 'request':127,166,229 'requir':584 'resourc':266,523 'respond':70 'respons':288,381,429 'review':38,111,122,132,577 'risk':104,135,260,350,411,440,501 'role':45 'rout':269 'rule':235 'safe':296,344,402,405 'safeti':587 'sanctum/jwt':290 'sanit':244,382 'scenario':92,446 'scope':41,533,558 'secur':3,5,23,27,34,37,50,57,73,84,121,138,164,171,281,292,304,356,453,475 'sensit':283,366 'session':207 'sever':428 'shame':489 'size':351 'skill':29,109,550 'skill-laravel-security-audit' 'source-sickn33' 'specif':572 'specifi':469 'sql':198 'standard':20 'stop':578 'storag':342,400 'store':295 'structur':430 'substitut':568 'success':590 'suffici':236 'summari':435 'symlink':401 'task':554 'test':574 'think':65 'threat':172 'throttl':360 'token':294,301 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'transact':327 'treat':563 'trust':406 'type':337 'unauthent':177 'unless':468 'unnecessarili':477 'unrel':168 'unsaf':318 'upload':124,201,334,349 'use':18,107,142,227,231,251,317,323,328,377,529,548 'user':152,183,222,262,265,320,362,384,517,521,541 'user-gener':383 'valid':80,126,219,224,234,240,338,341,573 'vector':197 'verifi':512 'via':398 'vulner':13,39,58,115,438,463 'want':153 'web':399 'without':511 'world':90 'xss':196,373","prices":[{"id":"0f636580-4a84-426a-930d-e06de6537c44","listingId":"9ee512ba-0ea5-40b7-a3d1-a6f478443f55","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:39:42.664Z"}],"sources":[{"listingId":"9ee512ba-0ea5-40b7-a3d1-a6f478443f55","source":"github","sourceId":"sickn33/antigravity-awesome-skills/laravel-security-audit","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/laravel-security-audit","isPrimary":false,"firstSeenAt":"2026-04-18T21:39:42.664Z","lastSeenAt":"2026-04-23T12:51:08.726Z"}],"details":{"listingId":"9ee512ba-0ea5-40b7-a3d1-a6f478443f55","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"laravel-security-audit","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34726,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-23T06:41:03Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"3bcb13f86ec02ca88d0207fe0ac97d54cd418fe5","skill_md_path":"skills/laravel-security-audit/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/laravel-security-audit"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"laravel-security-audit","description":"Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/laravel-security-audit"},"updatedAt":"2026-04-23T12:51:08.726Z"}}