CtrlK
BlogDocsLog inGet started
Tessl Logo

igmarin/rails-agent-skills

Curated library of 39 AI agent skills for Ruby on Rails development. Organized by category: planning, testing, code-quality, ddd, engines, infrastructure, api, patterns, context, orchestration, and workflows. Includes 5 callable workflow skills (rails-tdd-loop, rails-review-flow, rails-setup-flow, rails-quality-flow, rails-engines-flow) for complete development cycles. Covers code review, architecture, security, testing (RSpec), engines, service objects, DDD patterns, and TDD automation.

95

1.20x
Quality

98%

Does it follow best practices?

Impact

95%

1.20x

Average score across 35 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

criteria.jsonevals/scenario-28/

{
  "context": "Tests whether the agent safely handles dynamic SQL queries with user-controlled sort columns, sort directions, and filter values by using allowlists, bound parameters or sanitize_sql_array, and avoiding direct string interpolation of untrusted input into SQL.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "No sort column interpolation",
      "description": "The sort column name is NOT directly interpolated or concatenated into a SQL string from a user-supplied parameter — zero occurrences of `\"#{params` or `\"#{sort` or similar inside a SQL fragment",
      "max_score": 13
    },
    {
      "name": "Sort column allowlist",
      "description": "An explicit allowlist (array or hash) of permitted column names is defined in the code, and the sort column is validated against it before being used in a query",
      "max_score": 13
    },
    {
      "name": "Sort direction allowlist",
      "description": "Sort direction (ASC/DESC or asc/desc) is validated against a whitelist — NOT taken verbatim from the request parameter and interpolated into SQL",
      "max_score": 10
    },
    {
      "name": "Bound params or sanitize_sql_array for WHERE",
      "description": "WHERE clause filter values are passed using bound parameters (e.g., `where('status = ?', status)`, `where(status: status)`) or `sanitize_sql_array` — NOT string interpolation of the raw param value",
      "max_score": 13
    },
    {
      "name": "No user input in order() string",
      "description": "No call to `.order()` passes a string argument that directly incorporates an unvalidated request parameter value",
      "max_score": 12
    },
    {
      "name": "Allowlist as constant or frozen structure",
      "description": "The column allowlist is defined as a constant (ALL_CAPS), a frozen array/hash, or is initialised once — NOT rebuilt inline on every method call via a raw array literal in the guard clause",
      "max_score": 8
    },
    {
      "name": "No send or eval with user column",
      "description": "The code does NOT use `send`, `public_send`, or `eval` with the user-supplied sort column string to call methods dynamically on the model",
      "max_score": 10
    },
    {
      "name": "Comment on raw SQL rationale",
      "description": "If raw SQL fragments are used (e.g., `Arel.sql(...)` or a string passed to `order()`), a comment explains WHY the raw SQL approach was chosen over a pure ActiveRecord alternative",
      "max_score": 8
    },
    {
      "name": "Safe fallback on invalid input",
      "description": "The code handles the case where the sort column or direction is not in the allowlist — either by returning an error, using a default value, or ignoring the invalid parameter — not crashing or silently executing",
      "max_score": 8
    },
    {
      "name": "Frozen string literal",
      "description": "The file begins with `# frozen_string_literal: true`",
      "max_score": 5
    }
  ]
}

evals

scenario-28

criteria.json

task.md

README.md

tile.json