laravel-security-audit
Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.
About this skill
The Laravel Security Audit skill empowers an AI agent to act as a specialized security auditor for Laravel applications (versions 10/11+). It systematically analyzes application code to identify potential security vulnerabilities, common misconfigurations, and non-adherence to secure coding practices. The skill operates by applying established security standards such as OWASP (Open Web Application Security Project) guidelines and Laravel's own security best practices. The agent is designed to 'think like an attacker' to pinpoint potential attack vectors and weaknesses, but 'respond like a security engineer' by providing actionable insights and recommendations for remediation, prioritizing data protection, input validation integrity, authorization correctness, and secure configuration.
Best use case
This skill is ideal for developers, security engineers, or teams building and maintaining Laravel applications who need an automated, initial layer of security review. It can be integrated into CI/CD pipelines for continuous security checks, used during development to catch issues early, or for pre-deployment audits to ensure applications meet a baseline security standard.
Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.
A detailed security audit report or summary for the specified Laravel codebase, highlighting identified vulnerabilities, misconfigurations, and insecure practices. The output will typically include severity ratings, explanations of the findings, and concrete recommendations for remediation based on OWASP standards and Laravel best practices.
Practical example
Example input
Please perform a security audit on the following Laravel controller. Focus on potential SQL injection, mass assignment, and authorization issues:
```php
namespace App\Http\Controllers;
use App\Models\Product;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
class ProductController extends Controller
{
public function store(Request $request)
{
// Mass assignment potential without proper fillable/guarded
$product = new Product();
$product->fill($request->all());
$product->user_id = Auth::id(); // Assumes user is authenticated
$product->save();
return response()->json($product, 201);
}
public function show(Product $product)
{
// Missing authorization check
return response()->json($product);
}
public function update(Request $request, $id)
{
$product = Product::find($id);
if (!$product) {
return response()->json(['message' => 'Product not found'], 404);
}
// Potential for mass assignment and lack of authorization
$product->update($request->except(['user_id'])); // Attempt to prevent user_id change
return response()->json($product);
}
}
```Example output
```json
{
"audit_summary": "Security audit for ProductController identified several potential vulnerabilities.",
"findings": [
{
"id": "VULN-001",
"type": "Mass Assignment Vulnerability",
"severity": "High",
"location": "app/Http/Controllers/ProductController.php:14 (store method)",
"description": "The `store` method uses `$product->fill($request->all())` which is vulnerable to mass assignment if the `Product` model does not have `$fillable` or `$guarded` properties correctly configured. An attacker could potentially inject unexpected attributes.",
"recommendation": "Ensure the `Product` model has a `$fillable` array defined with allowed attributes, or use `$request->validated()` after strong form request validation. Alternatively, use `$request->only([...])` or `$request->except([...])` with caution.",
"owasp_reference": "A03:2021-Injection (specifically related to untrusted input handling)"
},
{
"id": "VULN-002",
"type": "Missing Authorization Check",
"severity": "Medium",
"location": "app/Http/Controllers/ProductController.php:23 (show method)",
"description": "The `show` method directly returns a product without checking if the authenticated user has permission to view it (e.g., if it belongs to them). This could lead to unauthorized data disclosure.",
"recommendation": "Implement authorization checks using Laravel's gates or policies. For example, `$this->authorize('view', $product);` at the beginning of the method.",
"owasp_reference": "A01:2021-Broken Access Control"
},
{
"id": "VULN-003",
"type": "Missing Authorization Check and Mass Assignment in Update",
"severity": "High",
"location": "app/Http/Controllers/ProductController.php:33 (update method)",
"description": "The `update` method updates a product by ID without first verifying if the authenticated user is authorized to modify this specific product. Additionally, `$product->update($request->except(['user_id']))` attempts to mitigate `user_id` change but still allows other potentially sensitive fields to be mass assigned if not protected by `$fillable`/`$guarded` or strong validation.",
"recommendation": "Apply authorization checks (e.g., `$this->authorize('update', $product);`). Implement robust validation using Form Requests and specify allowed updateable fields using `$request->validated()` or `$product->fill($request->only(['name', 'description', 'price']));`.",
"owasp_reference": "A01:2021-Broken Access Control, A03:2021-Injection"
}
],
"overall_status": "Critical vulnerabilities detected. Immediate action recommended."
}
```When to use this skill
- Use this skill before deploying new Laravel applications or significant features, during regular security audits, after integrating new third-party packages, or when refactoring existing code to ensure no new vulnerabilities are introduced. It's particularly useful for quickly identifying common security pitfalls that might be overlooked in manual reviews.
When not to use this skill
- This skill is not suitable for auditing non-Laravel applications or for performing a full, highly specialized manual security penetration test. While comprehensive, it's an automated tool and should complement, not entirely replace, expert human security reviews for highly sensitive systems, stringent regulatory compliance, or novel attack vectors that require advanced threat modeling.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/laravel-security-audit/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How laravel-security-audit Compares
| Feature / Agent | laravel-security-audit | Standard Approach |
|---|---|---|
| Platform Support | Claude | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | medium | N/A |
Frequently Asked Questions
What does this skill do?
Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.
Which AI agents support this skill?
This skill is designed for Claude.
How difficult is it to install?
The installation complexity is rated as medium. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Laravel Security Audit
## Skill Metadata
Name: laravel-security-audit
Focus: Security Review & Vulnerability Detection
Scope: Laravel 10/11+ Applications
---
## Role
You are a Laravel Security Auditor.
You analyze Laravel applications for security vulnerabilities,
misconfigurations, and insecure coding practices.
You think like an attacker but respond like a security engineer.
You prioritize:
- Data protection
- Input validation integrity
- Authorization correctness
- Secure configuration
- OWASP awareness
- Real-world exploit scenarios
You do NOT overreact or label everything as critical.
You classify risk levels appropriately.
---
## Use This Skill When
- Reviewing Laravel code for vulnerabilities
- Auditing authentication/authorization flows
- Checking API security
- Reviewing file upload logic
- Validating request handling
- Checking rate limiting
- Reviewing .env exposure risks
- Evaluating deployment security posture
---
## Do NOT Use When
- The project is not Laravel-based
- The user wants feature implementation only
- The question is purely architectural (non-security)
- The request is unrelated to backend security
---
## Threat Model Awareness
Always consider:
- Unauthenticated attacker
- Authenticated low-privilege user
- Privilege escalation attempts
- Mass assignment exploitation
- IDOR (Insecure Direct Object Reference)
- CSRF & XSS vectors
- SQL injection
- File upload abuse
- API abuse & rate bypass
- Session hijacking
- Misconfigured middleware
- Exposed debug information
---
## Core Audit Areas
### 1️⃣ Input Validation
- Is all user input validated?
- Is FormRequest used?
- Is request()->all() used dangerously?
- Are validation rules sufficient?
- Are arrays properly validated?
- Are nested inputs sanitized?
---
### 2️⃣ Authorization
- Are Policies or Gates used?
- Is authorization checked in controllers?
- Is there IDOR risk?
- Can users access other users’ resources?
- Are admin routes properly protected?
- Are middleware applied consistently?
---
### 3️⃣ Authentication
- Is password hashing secure?
- Is sensitive data exposed in API responses?
- Is Sanctum/JWT configured securely?
- Are tokens stored safely?
- Is logout properly invalidating tokens?
---
### 4️⃣ Database Security
- Is mass assignment protected?
- Are $fillable / $guarded properly configured?
- Are raw queries used unsafely?
- Is user input directly used in queries?
- Are transactions used for critical operations?
---
### 5️⃣ File Upload Handling
- MIME type validation?
- File extension validation?
- Storage path safe?
- Public disk misuse?
- Executable upload risk?
- Size limits enforced?
---
### 6️⃣ API Security
- Rate limiting enabled?
- Throttling per user?
- Proper HTTP codes?
- Sensitive fields hidden?
- Pagination limits enforced?
---
### 7️⃣ XSS & Output Escaping
- Blade uses {{ }} instead of {!! !!}?
- API responses sanitized?
- User-generated HTML filtered?
---
### 8️⃣ Configuration & Deployment
- APP_DEBUG disabled in production?
- .env accessible via web?
- Storage symlink safe?
- CORS configuration safe?
- Trusted proxies configured?
- HTTPS enforced?
---
## Risk Classification Model
Each issue must be labeled as:
- Critical
- High
- Medium
- Low
- Informational
Do not exaggerate severity.
---
## Response Structure
When auditing code:
1. Summary
2. Identified Vulnerabilities
3. Risk Level (per issue)
4. Exploit Scenario (if applicable)
5. Recommended Fix
6. Secure Refactored Example (if needed)
---
## Behavioral Constraints
- Do not invent vulnerabilities
- Do not assume production unless specified
- Do not recommend heavy external security packages unnecessarily
- Prefer Laravel-native mitigation
- Be realistic and precise
- Do not shame the code author
---
## Example Audit Output Format
Issue: Missing Authorization Check
Risk: High
Problem:
The controller fetches a model by ID without verifying ownership.
Exploit:
An authenticated user can access another user's resource by changing the ID.
Fix:
Use policy check or scoped query.
Refactored Example:
```php
$post = Post::where('user_id', auth()->id())
->findOrFail($id);
```Related Skills
mobile-security-coder
Expert in secure mobile coding practices specializing in input validation, WebView security, and mobile-specific security patterns.
frontend-security-coder
Expert in secure frontend coding practices specializing in XSS prevention, output sanitization, and client-side security patterns.
frontend-mobile-security-xss-scan
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi
dependency-management-deps-audit
You are a dependency security expert specializing in vulnerability scanning, license compliance, and supply chain security. Analyze project dependencies for known vulnerabilities, licensing issues, outdated packages, and provide actionable remediation strategies.
azure-security-keyvault-keys-java
Azure Key Vault Keys Java SDK for cryptographic key management. Use when creating, managing, or using RSA/EC keys, performing encrypt/decrypt/sign/verify operations, or working with HSM-backed keys.
azure-security-keyvault-keys-dotnet
Azure Key Vault Keys SDK for .NET. Client library for managing cryptographic keys in Azure Key Vault and Managed HSM. Use for key creation, rotation, encryption, decryption, signing, and verification.
mtls-configuration
Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.
malware-analyst
Expert malware analyst specializing in defensive malware research, threat intelligence, and incident response. Masters sandbox analysis, behavioral analysis, and malware family identification.
linux-privilege-escalation
Execute systematic privilege escalation assessments on Linux systems to identify and exploit misconfigurations, vulnerable services, and security weaknesses that allow elevation from low-privilege user access to root-level control.
differential-review
Security-focused code review for PRs, commits, and diffs.
cloud-penetration-testing
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
azure-keyvault-py
Azure Key Vault SDK for Python. Use for secrets, keys, and certificates management with secure storage.