Add Laravel Boost skill for security analysis #670
Description
Context
Laravel Boost (laravel/boost) provides AI agents with on-demand "skills" — focused knowledge modules that agents load when relevant. Third-party packages can ship their own skills by placing a resources/boost/skills/{skill-name}/SKILL.md file in the package.
Debugbar just shipped a Boost skill in v4.2.0 (see https://laravel-news.com/debugbar-releases-v420-and-add-a-new-boost-skill), setting a precedent for ecosystem packages.
Proposal
Ship a security-analysis (or psalm-security-analysis) Boost skill with psalm-plugin-laravel. When an AI agent activates this skill, it would get instructions on how to:
- Run Psalm taint analysis on the current project (
vendor/bin/psalm --taint-analysis) - Interpret taint-related issues (TaintedSql, TaintedHtml, TaintedShell, etc.)
- Fix common Laravel security patterns (unescaped output, raw queries, unvalidated input passed to sensitive sinks)
- Understand which Laravel APIs are taint sources vs sinks vs escapes (based on our stub annotations)
This would also include a guideline file (resources/boost/guidelines/core.blade.php) providing foundational context about what psalm-plugin-laravel does and how to configure it.
Skill file structure
resources/
boost/
guidelines/
core.blade.php # Always-loaded: what the plugin is, basic psalm.xml setup
skills/
psalm-security-analysis/
SKILL.md # On-demand: taint analysis workflow, issue interpretation, fix patterns
Why this matters
- Boost is becoming the standard way Laravel packages surface AI-agent context
- psalm-plugin-laravel's taint analysis is one of the few free security scanning options for Laravel
- AI agents currently have no structured knowledge about running or interpreting Psalm security scans
- This is a low-effort, high-visibility integration (just markdown files, no PHP code)
References
- Boost docs: https://laravel.com/docs/12.x/boost
- Boost third-party skills: https://laravel.com/docs/12.x/boost#third-party-package-skills
- Debugbar skill PR precedent: https://laravel-news.com/debugbar-releases-v420-and-add-a-new-boost-skill