igmarin/rails-agent-skills
Curated library of AI agent skills for Ruby on Rails development. Covers code review, architecture, security, testing (RSpec), engines, service objects, DDD patterns, and workflow automation.
98
99%
Does it follow best practices?
Impact
98%
1.38xAverage score across 26 eval scenarios
Passed
No known issues
criteria.jsonevals/scenario-24/
{
"context": "Tests whether the agent performs a Rails security review following the rails-security-review skill: covering the correct review areas in order, classifying findings by correct severity levels, and producing output with all four required fields per finding.",
"type": "weighted_checklist",
"checklist": [
{
"name": "Auth/authz reviewed first",
"description": "The review report addresses authentication or authorization issues before or separately from parameter, query, or output issues — the first finding or section covers auth concerns",
"max_score": 8
},
{
"name": "Parameter handling reviewed",
"description": "The review explicitly addresses how parameters are handled (strong params, mass assignment, or permit patterns)",
"max_score": 8
},
{
"name": "Query safety reviewed",
"description": "The review addresses SQL query construction, injection risk, or use of parameterized queries",
"max_score": 8
},
{
"name": "High severity: SQL injection identified",
"description": "The SQL injection vulnerability in the provided code is classified as High severity (not Medium or Low)",
"max_score": 10
},
{
"name": "High severity: missing authz identified",
"description": "The missing authorization check is classified as High severity",
"max_score": 10
},
{
"name": "Medium severity finding identified",
"description": "At least one finding is correctly classified as Medium severity (e.g. sensitive data logging, unscoped mass assignment, or weak filtering)",
"max_score": 8
},
{
"name": "Attack path per finding",
"description": "Each High severity finding includes an attack path — a description of how an attacker would exploit the issue",
"max_score": 10
},
{
"name": "Affected file per finding",
"description": "Each finding names the specific file (and ideally line or method) where the vulnerability exists",
"max_score": 10
},
{
"name": "Mitigation per finding",
"description": "Each finding includes a smallest credible mitigation — a concrete, actionable fix rather than a generic recommendation",
"max_score": 10
},
{
"name": "Exploitability focus",
"description": "The review prioritizes findings that are directly exploitable (e.g. no auth check, raw string interpolation in query) over style issues — does NOT lead with stylistic concerns",
"max_score": 8
},
{
"name": "Secrets and output reviewed",
"description": "The review addresses at least one of: secrets in code/logs, unsafe redirects, or output rendering (HTML/XSS) concerns",
"max_score": 10
}
]
}api-rest-collection
create-prd
ddd-boundaries-review
ddd-rails-modeling
ddd-ubiquitous-language
docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
generate-tasks
mcp_server
rails-architecture-review
rails-background-jobs
rails-bug-triage
rails-code-conventions
rails-code-review
rails-engine-compatibility
rails-engine-docs
rails-engine-extraction
rails-engine-installers
rails-engine-release
rails-engine-reviewer
rails-engine-testing
rails-graphql-best-practices
rails-migration-safety
rails-review-response
rails-security-review
rails-skills-orchestrator
rails-stack-conventions
rails-tdd-slices
refactor-safely
rspec-best-practices
rspec-service-testing
ruby-service-objects
strategy-factory-null-calculator
ticket-planning
yard-documentation