laravel-plugin-discovery
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions direct the user to configure an external MCP server at
https://laraplugins.io/mcp/plugins. This domain is used to query package metadata and health scores. No sensitive data is transmitted, and the connection is used for its stated purpose of package discovery. - [PROMPT_INJECTION]: The skill processes untrusted external data, making it a surface for indirect prompt injection (Category 8):
- Ingestion points: The
GetPluginDetailsToolfetches package descriptions and readme content from the LaraPlugins API. - Boundary markers: None identified in the prompt templates.
- Capability inventory: The skill itself does not specify dangerous capabilities like local command execution or file modification, though the agent using it may have such tools.
- Sanitization: No explicit sanitization or filtering of the retrieved readme content is described. This allows potentially malicious instructions embedded in a package's documentation to enter the agent's context.
Audit Metadata