igmarin/rails-agent-skills
Curated library of 28 atomic skills and 9 personas for Ruby on Rails development. Organized by category: testing, code-quality, engines, infrastructure, api, context, and personas. Covers code review, architecture, security, testing (RSpec), engines, Hotwire, and TDD automation. Shared Ruby skills (YARD docs, DDD, service objects) have moved to ruby-core-skills.
93
95%
Does it follow best practices?
Impact
93%
1.16xAverage score across 28 eval scenarios
Advisory
Suggest reviewing before use
criteria.jsonevals/scenario-10/
{
"context": "Checks whether the final artifact follows the security-check instructions from the published Rails Agent Skills plugin.",
"type": "weighted_checklist",
"checklist": [
{
"name": "instruction-1",
"description": "The submitted artifact follows this skill instruction: You MUST use your filesystem and search tools (like listing directories and searching patterns) to locate any source files in the workspace. Only if the workspace is completely empty may you return a checklist and state that no source files were provided.",
"max_score": 17
},
{
"name": "instruction-2",
"description": "The submitted artifact follows this skill instruction: Before writing any findings or analysis, you MUST run search and directory listing tools to find source files in the workspace (e.g. controllers, models, config files). Perform a code-level security review on the actual files found. Do not claim no source code was provided without first checking the workspace.",
"max_score": 17
},
{
"name": "instruction-3",
"description": "The submitted artifact follows this skill instruction: Review in this sequence, and produce output sections in this same order (see Output Style):",
"max_score": 17
},
{
"name": "instruction-4",
"description": "The submitted artifact follows this skill instruction: **Verify each finding:** Confirm it is exploitable with a concrete attack scenario before reporting. Exclude false positives (e.g., `html_safe` on a developer-defined constant, not user input).",
"max_score": 17
},
{
"name": "instruction-5",
"description": "The submitted artifact follows this skill instruction: Do not use representative file paths as if they were confirmed evidence.",
"max_score": 16
},
{
"name": "instruction-6",
"description": "The submitted artifact follows this skill instruction: **Hypothetical Exploitability Proof**: Even if no source files are provided and no vulnerabilities are found, you MUST include a **Hypothetical Exploitability Verification** sub-section inside the **Verification Steps & Quality Gates** section of the output `answer.md` (never as a separate top-level section interleaving the findings and the gates). Show a concrete example of a hypothetical vulnerability (e.g. an unscoped SQL query or open redirect) and detail exactly what the corresponding concrete attack scenario (exploit request/payload) would look like, proving how to confirm exploitability in practice.",
"max_score": 16
}
]
}.tessl-plugin
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
skills
api
generate-api-collection
implement-graphql
code-quality
apply-code-conventions
apply-stack-conventions
assets
snippets
code-review
refactor-code
review-architecture
security-check
context
load-context
setup-environment
engines
create-engine
create-engine-installer
document-engine
extract-engine
release-engine
review-engine
test-engine
upgrade-engine
infrastructure
implement-background-job
implement-hotwire
optimize-performance
review-migration
seed-database
version-api
personas
testing
plan-tests
test-service