143 AI Skills for Laravel/PHP on NEW Skills.laravel.cloud

Hello guys, recently I noticed a new website Laravel skills. Here's a tweet by Nuno Maduro. So skills.laravel.cloud is reusable agent skills for Laravel and PHP developers. And I decided to try it out. It looks like this. So here's a website Laravel skills with 143 different skills for AI agent. And important part is powered by skills.sh which is a website by Versel. They launched a few months ago with general skills for AI agents, not necessarily for Laravel. So this is how it looks. Their own kind of leaderboard and most popular skills and part of those skills were imported into this specific skills. So are those skills actually useful? I tried quite a few of them. Do they actually work? And what's inside in their source? All of that in this video. Also at the end I will talk about my own methodology how I think about the skills in the core Laravel and boost and then separate skills from the internet. So this will be a longer video with a lot of thoughts. Let's dive in. So first let me show you the general logic the example how you can install those skills in your project. So each skill has a page with install command which you just copy in your project. In this case I have an older Laravel project which was a demo. I installed the skill and then Laravel boost takes care of everything else. Skills installed. And now if we go toai agents from what I remember. No, I think it's just agents. Yes. Then we have skills and we have Laravel default skills and then the new one Laravel security audit which means we can prompt now and Laravel AI agent may use that skill if our prompt is relevant. What does that mean with skills? The thing is that they are not used automatically. You need to either specifically prompt for them to be used or LLM relies on the description of the skill to be automatically triggered. But in our case, let's do it this way. I can tell cloud code to use that skill. So use security audit. What's the skill name? Laravel security audit skill. Laravel security audit skill. Like this. It's autocompleted with slash because every skill is also a slash command. So use Laravel skill to perform security audit. But actually thinking about it, it doesn't even make much sense. We can just launch Laravel security audit like this. So pretty recently they merged together the skills and slashcomand. So you may just call the skill like this. And at the end of this video I will show after the work is done. probably going to be like 10 minutes or so. We'll see what it did for security, but this is the example of how you can install a skill into your project. Now, the thing is not with every skill that installation instruction and command will work well. I've tried quite a few on the page and sometimes they just don't work. So, for example, there is a skill refactor Laravel. I copy it here and it will say that failed to fetch repository not found 404. And this is what leads us to the question where do those skills come from in the first place? How they are evaluated validated and who is responsible for whether they would even work and for that we may read the docs of that page Laravel skills and the section how skills are added. Skills are automatically imported from skills.sh SH ecosystem. So this website skills laravel cloud is not responsible for skills at all. You cannot import it here. You can import it on skills.sh and then your skill may be automatically imported here if the skill is tagged with Laravel or PHP. On top of that there are automatic security audits which is important and I think it's a very good step which is also emphasized and announced by skills.sh creator GMO CEO of Verscell. So they have 62,000 skills now in the ecosystem and they have automatically scanned the skills for security vulnerabilities. So that's good. But with 62,000 skills, if I understand correctly, there is no human effort to vet, to filter, and to approve those skills. It's kind of a wild west where people import their skills into the huge database and part of that database lands on this skills.l.cloud. So no one I think is actually reviewing whether the skill is still fresh, whether it still works after a month and stuff like that. So basically if you use any skill from here or from skills.sh, SH you're on your own to validate the skill and the vendor and we'll talk about that at the end of this video. For now, let's browse some of the skills and see how actually useful they are. And while I'm talking here, our security audit skill was successfully finished in 4 minutes. And let's see what it found. So what is the result of that skill security audit? So identified vulnerabilities, no authorization policies. Some of those things are expected because it was a demo project and I wasn't paying too much attention to that. But also interesting vulnerability related to AI. For example, system prompts are user writable and yes in that project you can have text area in filament to add something to your system prompt. So this is kind of a security vulnerability. Also user ID infillable. I wouldn't consider it a security thing too much because it depends how it is used than image stored publicly. So yeah, you get the idea. You get the security review of your project which is I think pretty useful. But now let's take a look under the hood what's inside. So we can click on the source and then we land on usually GitHub of that skill source. And here you will see kind of a trend. So the skill is not about Laravel or about Laravel security the skill database. So it's called anti-gravity awesome skills and this is kind of majority of the skills on skills.sh and also on skills.laravel.cloud. There's a repository with a lot of skills some of them about Laravel. So in this case anti-gravity awesome skills there's so many and if we search for Laravel yeah it is here Laravel security audit and Laravel expert and now if we navigate here this is the actual prompt for your role use your skill when do not use when and then these are the details what is actually searching for which looks good and seems useful but on the other hand who is the author of those bullet points and lists. If it's anti-gravity awesome skills, then I assume that it's written not by Laravel developer, it's probably automatically written by AI and then applied to majority of projects with anti-gravity by that author. So my point is that this maybe is not even validated in any way or reviewed or tested or updated to even latest Laravel versions perhaps. I'm not sure. I'm just claiming the things. For example, if we go to antgravity awesome skills repository, the author is nickname sick n33. No name or surname or photo. The repository is ultimate collection for agentic skills and I don't know it's similar to trusting the packages for Laravel or npm install like do you trust the vendor and that Laravel skills website as I said is full of these examples. So for example, if we go to Laravel specialist, whatever that means, if we go to source, then we have GitHub with Laravel specialist as one of the folders. And if we go to skills, this is the list of all skills, not only about Laravel at all. It's a huge list probably by that developer. Jeff Allen is the nickname. And the repository is called Claude Skills, not related to Laravel at all. So this is another example or for example we can go to Laravel best practices. We go to the source and again we have agent skills with Laravel best practices as just one of the skills and those best practices to be honest those are a lot of personal preferences. So for example service classes, action classes and repository pattern when to use which it's kind of written in best practices in the rules here. So for example, action classes here used for discrete operation to achieve maximum reusability which is again probably AI generated I assume but I'm cautious to blame anyone but actually let's take a look at history of that specific file and yeah as you can see add 307 rule files in one commit by the author and Claude then upgrade skills to versel structure to skills.sh SH which is great and then fix issues for accuracy format and code correctness. Let's see. So yeah, there's a fix for Laravel best practices generated with cloud code with sonnet 4.6. So yeah, these are rules and skills generated by AI agents for AI agents and some of those skills in my opinion are actually duplicating laral boost thing. So for example app guidelines if we go to the source again it's a repository by someone agent skills and laravel is just one of them and then core conventions of laravel 11 and 12 this is all in Laravel boost more or less in the guidelines also there are skills for wavefinder if I remember correctly and inertia so a lot of those things are either now in updated laravel boost or was from the beginning and this file was updated 2 months ago. So this is another thing with skills and especially with those repositories probably they import the skill once and then they leave it be in their database but neither the author if they don't work on Laravel anymore probably nor the database care about updating skills updating the guidelines the text tag and new versions and so on. So, you're also at risk. For example, when Laravel 13 comes out, I'm not sure if that will be quickly updated to Laravel 13. Again, I may be too negative here, but this is my kind of impression from what I see inside of those repositories of skills. Out of curiosity, let's also take a look at history. And again, I don't see any commits specifically about Laravel. add to multiple skill files, add author metadata, expand marketplace, and so on. That said, no matter how negative I am here about this database, some of the skills are genuinely useful for scanning your codebase for example, I wouldn't use most of them as like guidelines for like best practices of PHP and Laravel, but for review something, it may discover interesting and useful things. So let's try another one called review.php again from the author with lion avatar here. So if we go to the source, who is that person? Okay, it's still a lion without any name. So again, I cannot really trust it, but I can probably feel safe about prompt injection or something like that probably. Again, not 100%. But let's actually try to perform that check on the same codebase. So again we copy the same command boost add skill here and will it work? Yeah, we have a skill installed and then let's open clot code with dangerously skip permissions and run /re PHP command and we get the question no PHP files currently modified. So it's scanning only the latest like uncommitted files. The entire app directory would be my answer and let's see what it comes up with. The entire is with typo but it should be probably okay. And while it is running we may take a look at the skill and read it. And I want to emphasize that many of those things are standards but some of them are really personal preferences preferences by that author or more often than not preferences of AI agent who wrote those rules. So many of those skills are kind of opinionated not only by person but by AI agents and opinionated is not necessarily a wrong thing. We had that for many many years in the community. So for example on my channel I had a few videos for example four years ago guidelines from spatiy. So spaty well-known Laravel company they have their own guidelines for PHP and for Laravel. Also I found convention guidelines for another companydf. So basically for many years each company had their own guidelines and rules and presets for Laravel Pine for example or PHPCS fixer and even actually Laravel Pint if we go on GitHub of Laravel Pint introduction is Laravel Pint is opinionated code style fixer. So basically same with skills each skill each guideline is opinionated by that author that company or that AI agent again and it also feels online with all the big databases of skills and prompts and various tweets that each developer and almost each person is trying to reinvent the wheel and come up with their own set of biggest and most useful databases of skills which makes sense. What works for some projects will not work for others. So if you get a skill from the internet, it's not necessarily going to work in your project with your text tag and versions and so on. And for example, my also opinionated way to deal with skills in Laravel. I published it recently workflows for Laravel repository and I have my own guidelines for Laravel and filament and not skills. So what I'm thinking is we need to trust the skills by official Laravel core team. So Laravel boost with guidelines with some of the things moved into separate skills. They cover majority of the tech stack powered and supported by firstparty official team and they are very good at updating those guidelines. Pushback is very active on Twitter with Laravel boost and skills updates, new versions, new guidelines. I see it all the time. They're doing great job. So, I think we can trust them more than random skills on the internet. And also, if we want to add some other skills, they may be not necessarily related to Laravel. And with our skills, I prefer to use guidelines which are then with Laravel boost added to Claude MD or agents MD with only just some of the things about tool calling that I prefer. For example, you must generate test and test must cover both happy and failure scenarios. Also another tool mentioned to use context 7 when to run npm run build and stuff like that. So in those guidelines I remember they were much longer like half a year ago. I shortened it because I noticed that official Laravel boost with guidelines cover most of these things and also important part the models got much better. So in most cases we don't really need specific Laravel skills in addition to official ones and that is of course for Laravel and LLM are well trained on Laravel and the code base is pretty stable for many years. Different scenario is with filament for example. So for filament I do have my own guidelines as well. I shortened them as well. So this is the version of my guidelines from January 2026 which is like 2 months ago and they were much longer. Actually in February this was the update. I was trying to list all the things that AI agents should deliver in filament four or five versions because LLMs are not that well trained on filament and specifically on latest versions. So they often generate older version deprecated code. So for filament specifically I think we do need extra skills and guidelines. But in my case I was tired to add more and more lines to these guidelines. So that's why I created a package filler check which is in my opinion a better way more deterministic way to fix the code instead of relying on skills or guidelines which may or may not be ignored. You just do the scan after the code is generated by AI agent similar to Laravel Pint or Larristan or other scanning tools not AI prompts. This is a tool that doesn't use AI. It checks the files locally. And that idea seemed to resonate with people because according to packages now we have more than 8,000 installs already. And also the list of rules of deprecations grew into much more sophisticated. So we released Filich Pro. And this is by the way today is the last day of the launch price. Interestingly, I wasn't even planning to mention that price launch in this video because this video is about skills. But when I wrote the scenario, I wanted to show Phillich as kind of alternative to skills. And then I remembered that March 18th is the last day of the launch price because we launched version one. So it's kind of out of beta. So if you do want to use filament with fillet, yeah, the discount is here for you. So kind of unplanned commercial for my own tool. But anyway, the thought is that for Laravel ecosystem, I'm not a big fan of skills from the internet. But let's see what that skill that we launched a few minutes ago. What did it find? So for 7 minutes, it was working and what did it find? Review PHP 42 PHP files. Okay, missing declare strict types, which is again a personal preference. So that skill probably enforces that incorrect type hint. This may be important. If that function fails, there may be type error. So this is a good find. But actually it should have been covered by automated tests. So probably automated test is missing in that potentially undefined variable. So this should be probably caught by larristan similar unused imports. This may be covered by Laravel Pint or Larestan. I don't even remember which one. So yeah, unused import, unused import and others. So basically cleanup is needed. Also suggestion about raw SQL. So yeah, it found something which leads me back to the point that some skills are useful to just scan your codebase and maybe find something useful. So in the video description below, I will make a list of specific skills that I do recommend to at least run something like that. So yeah guys, what do you think about this skills Laravel cloud and skills.sh? Do you use skills from the internet from some GitHub repository or by some author and do you trust them? Does it actually work for you? Or do you create your own skills or guidelines or whatever on top of default Laravel text tack? As always, we can discuss in the comments below. That's it for this time and see you guys in other