Claude Code skill · v0.1

Laravel Audit

A deterministic, dependency-free scanner packaged as a Claude Code skill. Point Claude at any Laravel 9/10/11/12 repo and get a scored HTML report in seconds.

Buy on Gumroad — $39One-time purchase · Free updates · Commercial license

13 rules: security, performance, AI-slop, deploy
File:line precision + plain-English fixes
Standalone HTML → print-to-PDF
White-label with your own brand + CTA
Zero Composer deps — PHP 8.1+ only
Installs in 3 steps

Sample reportmonica-report

0/ 100F

1,656 files scanned · 14 findings

Crit

High

Med

Low

APP_DEBUG enabled

.env:4

Potential N+1 inside foreach

app/Jobs/SyncImapFolderJob.php:101

What it catches, across four categories

Security (5)

Mass assignment, raw SQL interpolation, hardcoded secrets, debug leftovers, APP_DEBUG in prod.

Performance (3)

Potential N+1 inside loops, unindexed foreign keys, synchronous Mail::send.

AI-slop (2)

High TODO/FIXME density and clusters of stub functions that never got filled in.

Deploy hygiene (3)

Missing composer.lock, lock older than composer.json, PHP version unpinned.

The full rule set (v0.1)

Every finding comes with file:line precision and a one-line fix.

Rule	Title	Severity	Category
SEC-001	APP_DEBUG enabled in .env	critical	Security
SEC-002	Unbounded mass assignment ($guarded = [])	high	Security
SEC-003	Raw SQL with variable interpolation	critical	Security
SEC-004	Hardcoded API keys or secrets in source	critical	Security
SEC-005	dd() / dump() / var_dump() left in code	medium	Security
PERF-001	Potential N+1 query inside foreach	high	Performance
PERF-002	Foreign key column without index	medium	Performance
PERF-003	Synchronous Mail::send (not queued)	medium	Performance
SLOP-001	High TODO / FIXME density in a file	low	AI-slop tells
SLOP-002	Multiple stub functions with empty returns	low	AI-slop tells
DEPLOY-001	composer.lock missing	high	Deploy hygiene
DEPLOY-002	composer.lock older than composer.json	medium	Deploy hygiene
DEPLOY-003	PHP version not constrained in composer.json	low	Deploy hygiene

Installs in 3 steps

1
Download & unzip
Your Gumroad purchase gives you a single zip file with the skill.
2
Move into your Claude skills directory
mv laravel-audit ~/.claude/skills/
3
Restart Claude Code
The skill auto-registers. Ask Claude to audit any Laravel app.

Requires PHP 8.1+ (any install: Herd, Valet, Homebrew). Zero Composer dependencies.

White-label the report

Add your own brand, URL, and call-to-action to every report — ideal for consultants handing audits to clients.

{
  "brand_name": "Acme Code Reviews",
  "brand_url":  "https://acme.example.com",
  "footer_cta": "Want the full human-reviewed audit? Book a call."
}

Drop a config.json next to SKILL.md and every report carries your brand.

FAQ

Ready to audit your Laravel app?

One $39 purchase. Unlimited projects. Free v0.x updates.

Buy on Gumroad

Want a human-reviewed audit with custom fixes? Book a call.

Laravel Audit

What it catches, across four categories

Security (5)

Performance (3)

AI-slop (2)

Deploy hygiene (3)

The full rule set (v0.1)

Installs in 3 steps

White-label the report

FAQ

Does this replace Larastan / PHPStan / a pentest?

What PHP versions does it support?

What's the license?

Will there be more rules later?

Can I run it without Claude Code?

Ready to audit your Laravel app?