igmarin/rails-agent-skills
Curated library of AI agent skills for Ruby on Rails development. Covers code review, architecture, security, testing (RSpec), engines, service objects, DDD patterns, and workflow automation.
98
99%
Does it follow best practices?
Impact
98%
1.38xAverage score across 26 eval scenarios
Passed
No known issues
task.mdevals/scenario-24/
Document Search Security Audit
Problem/Feature Description
A legal technology company is preparing for a security audit before onboarding enterprise customers. Their Rails application includes a document management module that was written quickly by a contractor. The CTO has asked for a thorough security assessment of the module's code before it touches any client data.
The engineering team needs a written security review they can share with their auditors and use to prioritise remediation work. The review should be actionable — auditors want to understand exactly what can go wrong and how an attacker would exploit each issue, not just a list of abstract best-practice suggestions.
Produce a security review of the code provided below. Save the review as security-review.md.
Input Files
The following files are provided as inputs. Extract them before beginning.
=============== FILE: app/controllers/documents_controller.rb =============== class DocumentsController < ApplicationController def index query = params[:search] @documents = Document.where("title LIKE '%#{query}%' OR body LIKE '%#{query}%'") render :index end
def show @document = Document.find(params[:id]) render :show end
def update @document = Document.find(params[:id]) @document.update(params[:document]) redirect_to @document end
def destroy @document = Document.find(params[:id]) @document.destroy redirect_to documents_path end
def download @document = Document.find(params[:id]) file_path = Rails.root.join('storage', params[:filename]) send_file file_path end end
=============== FILE: app/models/document.rb =============== class Document < ApplicationRecord belongs_to :user has_many :document_versions
after_save :log_access
def log_access Rails.logger.info("Document accessed: #{self.inspect}") end
def self.search_for_user(user_id, term) where("user_id = #{user_id} AND title ILIKE ?", "%#{term}%") end end
=============== FILE: config/initializers/api_keys.rb =============== SENDGRID_API_KEY = "SG.abc123xyz789secretkey" STRIPE_SECRET_KEY = "sk_live_realproductionkey999" AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
api-rest-collection
create-prd
ddd-boundaries-review
ddd-rails-modeling
ddd-ubiquitous-language
docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
generate-tasks
mcp_server
rails-architecture-review
rails-background-jobs
rails-bug-triage
rails-code-conventions
rails-code-review
rails-engine-compatibility
rails-engine-docs
rails-engine-extraction
rails-engine-installers
rails-engine-release
rails-engine-reviewer
rails-engine-testing
rails-graphql-best-practices
rails-migration-safety
rails-review-response
rails-security-review
rails-skills-orchestrator
rails-stack-conventions
rails-tdd-slices
refactor-safely
rspec-best-practices
rspec-service-testing
ruby-service-objects
strategy-factory-null-calculator
ticket-planning
yard-documentation