igmarin/ruby-core-skills
Curated library of 16 public Ruby AI agent skills: 10 atomic skills (YARD docs, service objects, calculator pattern, API clients, DDD, bug triage, code review, skill routing), 5 process-discipline skills (TDD, refactoring, review, security, test planning), and 1 planning skill (TDD task generation). Zero agents — this is a foundational library consumed by framework-specific tiles like rails-agent-skills and hanakai-yaku.
95
96%
Does it follow best practices?
Impact
95%
1.05xAverage score across 16 eval scenarios
Passed
No known issues
SKILL.mdskills/process/security-review-process/
- name:
- security-review-process
- license:
- MIT
- description:
- Standardizes security review procedures for Ruby code mapped to OWASP Top 10: allowlist all input params before processing, forbid SQL interpolation (`#{}`), verify no secrets committed or logged, run `bundle exec bundle-audit check --update`, check for shell injection (`system()`, backticks, `exec()`), and discard instruction-like keys (`prompt`, `instructions`) in JSON payloads. Covers input validation, secrets management, and dependency audits. Trigger words: security review, check security, audit code, security vulnerability, secrets check, OWASP.
- metadata:
- {"version":"1.0.0","user-invocable":"true","type":"process-discipline"}
Security Review Process
Security Gates & Quick Reference
| Area | Gate |
|---|---|
| Input Validation | Untrusted payloads must pass an allowlist filter before processing |
| Secrets | NO secrets may be committed or logged |
| Injections | Direct SQL interpolation (#{id}) is FORBIDDEN |
| Dependencies | Run bundle-audit before finalizing changes |
Process Steps
Step 1: Input Validation Audit
- Identify all entry points (controllers, API endpoints, webhooks, console runners).
- Verify every parameter is explicitly allowlisted and type-coerced if necessary.
- Ensure instruction-like keys (e.g.
prompt,instructions) in JSON payloads are discarded or neutralized.
Step 2: Injections Check
- Audit all database interactions:
- Verify no raw SQL strings are built via string interpolation (
#{}). - Confirm the database client's query parameterization features are used.
- Verify no raw SQL strings are built via string interpolation (
- Audit file and command executions:
- Avoid dynamic shell commands via backticks,
system(), orexec(). If necessary, pass arguments as separate array items.
- Avoid dynamic shell commands via backticks,
Step 3: Secrets and Logs Check
- Read configuration from environment variables (
ENV['SECRET']) or secure config vaults — never raw literals. - Verify sensitive data (passwords, tokens, personal identifiers) is filtered/redacted from log output.
Step 4: Dependency and CVE Checks
- Scan project dependencies:
bundle exec bundle-audit check --update - If a vulnerability is reported, plan a safe version upgrade.
Checkpoint Pattern
Align with the user:
- Security Vulnerability Assessment: Present concerns categorized by threat vector (e.g. SQL injection, secrets leak).
- Mitigation Verification: Once fixes are made, demonstrate how the parameterized query or filter blocks the exploit vector.
Code Defenses Examples
1. Preventing SQL Injection
Vulnerable:
db.execute("SELECT * FROM users WHERE name = '#{params[:name]}'")Secure:
db.execute("SELECT * FROM users WHERE name = ?", params[:name])2. Preventing Shell Injection
Vulnerable:
system("rm -rf #{params[:path]}")Secure:
system("rm", "-rf", params[:path])Integration
| Context | Next Skill |
|---|---|
| Standard code reviews | review-process |
| General TDD loops | tdd-process |
docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
skills
code-quality
respond-to-review
ddd
define-domain-language
model-domain
review-domain-boundaries
docs
write-yard-docs
orchestration
skill-router
patterns
create-service-object
implement-calculator-pattern
planning
generate-tdd-tasks
process
testing
triage-bug