Drop a skill into Claude Code and ask in plain words. It turns raw tool output — composer audit, route:list — into a clear, ranked to-do list: safe updates, replacements for dead packages, and IDOR / access-control holes. It only advises — you stay in control.
Composer tells you what's outdated.
// this library tells you what to do about it.
The library
Each skill is one self-contained folder. Read about it, install just that one. More get added over time — search or filter below.
Turns composer outdated + composer audit into a clear plan: do now, do carefully, defer. Finds live replacements for dead packages and the safest fix before any big update.
Finds IDOR / broken access control — the bug class scanners miss. Checks every route's chain (login → permission → owner check → API output) against php artisan route:list and shows what's covered and what's not.
Catches "works locally, breaks in production" bugs before deploy: env() that config:cache nulls out, closure routes that break route:cache, unsafe .env values, and leaked secrets — anchored to your real .env / route:list / git.
No skills match your search.
How it works
Scanners and Composer show you problems. These skills decide what to do about them — the way a senior reviewer would — and never touch your project. Every skill follows the same three rules.
Runs the real tools — composer outdated / audit, php artisan route:list — and works from what they say. Never makes up a version, a CVE, or a route.
Sorts and ranks by confidence: the safest fix for a CVE, a live replacement for a dead package, the route where an IDOR really leaks data.
Gives you a ranked plan with proof and exact commands. Never edits your composer.json, routes, policies, or code — you apply every fix.
FAQ
Grab just the composer-dependency-triage skill into your project (npx degit ArtemProshkovskiy/laravel-maintenance-skills/skills/composer-dependency-triage .claude/skills/composer-dependency-triage), open it in Claude Code, and ask “audit my composer dependencies.” The skill runs composer outdated and composer audit, then returns a prioritized Do-now / Do-carefully / Defer plan with exact commands. No marketplace or whole-library install required.
The skill recommends a maintained, community-standard successor for abandoned packages — even when Composer only prints “No replacement was suggested” — and tells you whether the migration is drop-in or an API change. Every replacement is marked “verify before adopting.”
It reads each advisory’s affected-version range literally, computes the lowest fixed version, prefers a drop-in patch within your current major, and confirms that version exists — so a CVE never pushes you into a needless major migration.
No. It is advise-only: it reads files and runs read-only commands, then hands you a plan. It never edits composer.json, the lockfile, or code — you run every command yourself.
Open your project in Claude Code and ask “review my authorization” or “find IDOR in this app.” The laravel-authorization-review skill walks every route’s authorization chain — middleware → policy/gate → Eloquent query scoping → API Resource output — anchored to php artisan route:list, and returns a per-route coverage map with confidence-rated findings. It targets broken object-level authorization (BOLA), #1 in the OWASP API Security Top 10 — the bug class static scanners structurally miss.
Yes. Ask it to “review authorization on this PR’s new routes” and it intersects the route inventory with the changed controllers and route files, so you sanity-check new endpoints before merge instead of re-scanning the whole app.
Yes. The skills recognize current Laravel conventions — Gate::authorize(), the AuthorizesRequests trait, policy auto-discovery, the #[UsePolicy] attribute, and policy registration in AppServiceProvider (Laravel 11+) as well as the older AuthServiceProvider — and check a package’s real PHP/Laravel constraints before recommending any major bump.
Get started
You don't install the whole library. Each skill is one folder — drop the one you want into your project's .claude/skills/ and it just works. No marketplace needed.
# Authorization / IDOR review — grab just this skill npx degit ArtemProshkovskiy/laravel-maintenance-skills/skills/laravel-authorization-review \ .claude/skills/laravel-authorization-review # …or the dependency-triage skill instead npx degit ArtemProshkovskiy/laravel-maintenance-skills/skills/composer-dependency-triage \ .claude/skills/composer-dependency-triage # then open Claude Code in the project and just ask review my authorization / find IDOR in this app audit my composer dependencies
Use ~/.claude/skills/ instead to install a skill globally (every project). No npx? Clone the repo and copy the one skill folder. Each skill page has full instructions.
/plugin marketplace add ArtemProshkovskiy/laravel-maintenance-skills /plugin install laravel-maintenance@laravel-maintenance-skills