igmarin/rails-agent-skills
Curated library of 42 public AI agent skills for Ruby on Rails development, plus 5 callable workflow skills. Organized by category: planning, testing, code-quality, ddd, engines, infrastructure, api, patterns, context, orchestration, and workflows. Covers code review, architecture, security, testing (RSpec), engines, service objects, DDD patterns, and TDD automation.
97
97%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
SKILL.mdskills/code-quality/rails-security-review/
- name:
- rails-security-review
- license:
- MIT
- description:
- Performs security audits and vulnerability assessments on Ruby on Rails application code. Use when reviewing Rails code for security risks, assessing authentication or authorization, auditing parameter handling, redirects, file uploads, secrets management, or checking for XSS, CSRF, SSRF, SQL injection, and other common vulnerabilities.
Rails Security Review
Use this skill when the task is to review or harden Rails code from a security perspective.
Core principle: Prioritize exploitable issues over style. Assume any untrusted input can be abused.
HARD-GATE: Authorization Findings Lead the Report
BEFORE returning your security review, verify:
1. The FIRST finding section in your output is "Authentication & Authorization"
2. SQL injection, XSS, or other findings come AFTER auth/authz — even if
they feel more severe or were discovered first
3. If no auth/authz issue exists, the report still opens with an explicit
"Authentication & Authorization: no issues found" line BEFORE any other
finding categoryQuick Reference
| Area | Key Checks |
|---|---|
| Auth | Permissions on every sensitive action |
| Params | No permit!, whitelist only safe attributes |
| Queries | Parameterized — no string interpolation in SQL |
| Redirects | Constrained to relative paths or allowlist |
| Output | No html_safe/raw on user content |
| Secrets | Encrypted credentials, never in code or logs |
| Files | Validate filename, content type, destination |
Review Order
- Check authentication and authorization boundaries.
- Check parameter handling and sensitive attribute assignment.
- Check redirects, rendering, and output encoding.
- Check file handling, network calls, and background job inputs.
- Check secrets, logging, and operational exposure.
- Verify each finding: Confirm it is exploitable with a concrete attack scenario before reporting. Exclude false positives (e.g.,
html_safeon a developer-defined constant, not user input).
Severity Levels
High
- Missing or bypassable authorization checks
- SQL, shell, YAML, or constantization injection paths
- Unsafe redirects or SSRF-capable outbound requests
- File upload handling that trusts filename, content type, or destination blindly
- Secrets or tokens stored in code, logs, or unsafe config
Medium
- Unscoped mass assignment through weak parameter filtering
- User-controlled HTML rendered without clear sanitization
- Sensitive data logged in plaintext
- Security-relevant behavior hidden in callbacks or background jobs without guardrails
- Brittle custom auth logic where framework primitives would be safer
Review Checklist
- Are permissions enforced on every sensitive action?
- Are untrusted inputs validated before database, filesystem, or network use?
- Are redirects and URLs constrained?
- Are secrets stored and logged safely?
- Are security assumptions explicit and testable?
Examples
High-severity (unscoped redirect):
# Bad: user-controlled redirect — open redirect / phishing risk
redirect_to params[:return_to]
# Good: relative path only
redirect_to root_path
# Good: allowlist
SAFE_PATHS = %w[/dashboard /settings].freeze
redirect_to(SAFE_PATHS.include?(params[:return_to]) ? params[:return_to] : root_path)Medium-severity (mass assignment):
# Bad: privilege escalation risk
params.require(:user).permit!
# Good: explicit whitelist — never include role, admin, or privilege fields
params.require(:user).permit(:name, :email)Pitfalls
See PITFALLS.md for the full list. Critical anti-patterns: permit! on any parameter set, html_safe on user content, SQL string interpolation, secrets in committed files.
Output Style
Section order per the HARD-GATE. Every heading appears even when empty (write "No issues found.").
## Authentication & Authorization
## Parameter Handling & Mass Assignment
## Query Safety (SQL / NoSQL / shell injection)
## Output Encoding & Redirects
## Secrets, Logging & Operational ExposureEach finding carries:
- Severity: High or Medium (not "Critical")
- Attack path: input → reach → impact
- Affected file: path + line, e.g.
app/controllers/documents_controller.rb:42 - Mitigation: smallest credible fix
Integration
| Skill | When to chain |
|---|---|
| rails-code-review | For full code review including non-security concerns |
| rails-architecture-review | When security issues stem from architectural problems |
| rails-migration-safety | When reviewing migration security (data exposure, constraints) |
build
docs
mcp_server
skills
api
api-rest-collection
rails-graphql-best-practices
code-quality
rails-architecture-review
rails-code-conventions
rails-code-review
rails-review-response
rails-security-review
rails-stack-conventions
assets
snippets
refactor-safely
context
rails-context-engineering
rails-project-onboarding
ddd
ddd-boundaries-review
ddd-rails-modeling
ddd-ubiquitous-language
engines
rails-engine-compatibility
rails-engine-docs
rails-engine-extraction
rails-engine-installers
rails-engine-release
rails-engine-reviewer
rails-engine-testing
infrastructure
rails-api-versioning
rails-background-jobs
rails-database-seeding
rails-frontend-hotwire
rails-migration-safety
rails-performance-optimization
orchestration
rails-skills-orchestrator
patterns
ruby-service-objects
strategy-factory-null-calculator
yard-documentation
planning
create-prd
generate-tasks
ticket-planning
testing
rails-bug-triage
rails-tdd-slices
rspec-best-practices
rspec-service-testing
workflows