laravel-billing
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill references the installation of
laravel/cashiervia the Composer package manager. While Laravel is a widely trusted and reputable ecosystem, it is not explicitly listed in the predefined trusted organization scope, making the dependency technically unverifiable in this strict context. - PROMPT_INJECTION (LOW): The skill defines an indirect prompt injection surface (Category 8) by providing templates that ingest untrusted external data to perform financial operations.
- Ingestion points:
SubscriptionController.php(via$requestdata) andWebhookController.php(via the$payloadargument). - Boundary markers: No explicit delimiters or 'ignore' instructions are used to wrap or isolate the external data within the provided logic.
- Capability inventory: The code snippets are capable of triggering high-impact financial actions, including subscription creation, charge generation, and refund processing via the Stripe/Paddle APIs.
- Sanitization: No sanitization or validation logic is included in the documentation snippets, which is expected for simplified examples but highlights the inherent attack surface.
Audit Metadata