From rails-agent-skills
Performs a security audit of Rails applications, checking for XSS, CSRF, SSRF, SQL injection, open redirects, and secrets exposure. Never reproduces secrets verbatim.
How this skill is triggered — by the user, by Claude, or both
Slash command
/rails-agent-skills:security-checkThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
```text
CREDENTIAL HANDLING (W007 — Insecure Credential Exposure Defense):
- NEVER reproduce credentials, tokens, API keys, passwords, or secrets verbatim
in output — flag by file path and line number only.
- When a finding involves secrets in code or logs, report:
Affected file: app/config/initializers/foo.rb:12
Finding: API key present in plain text — move to Rails credentials or ENV
Do NOT quote the secret value itself.
- Exploitability Verification sub-sections MUST use generic placeholder values
(e.g. "<REDACTED>", "<TOKEN>") — never the actual credential.
- If a file scan returns a secret value, stop — report its location, not its content.
| Area | Key Checks |
|---|---|
| Auth | Permissions on every sensitive action |
| Params | No permit!, allowlist only safe attributes |
| Queries | Parameterized — no string interpolation in SQL |
| Redirects | Constrained to relative paths or allowlist |
| Output | No html_safe/raw on user content |
| Secrets | Encrypted credentials, never in code or logs |
| Files | Validate filename, content type, destination |
Core principle: Prioritize exploitable issues over style. Treat all untrusted input as potentially abused.
Before writing any findings or analysis, you MUST run search and directory listing tools to find source files in the workspace (e.g. controllers, models, config files). Perform a code-level security review on the actual files found. Only if the workspace is completely empty may you return a checklist and state that no source files were provided.
Review in this sequence, and produce output sections in this same order:
html_safe on a developer-defined constant, not user input).Validation gate: The first output section must always be "Authentication & Authorization". If no auth/authz issue exists, open with "Authentication & Authorization: no issues found" before any other category.
permit! or unscoped mass assignmentHigh-severity (unscoped redirect):
# Bad: user-controlled redirect — open redirect / phishing risk
redirect_to params[:return_to]
# Good: relative path only
redirect_to root_path
# Good: allowlist
SAFE_PATHS = %w[/dashboard /settings].freeze
redirect_to(SAFE_PATHS.include?(params[:return_to]) ? params[:return_to] : root_path)
Medium-severity (mass assignment):
# Bad: privilege escalation risk
params.require(:user).permit!
# Good: explicit allowlist — never include role, admin, or privilege fields
params.require(:user).permit(:name, :email)
When asked to perform a security audit, your output MUST include:
app/controllers/documents_controller.rb:42SRC_DIR/ or HYPOTHETICAL_DIR/hypothetical_controller.rbLoad these files only when their specific content is needed:
| Skill | When to chain |
|---|---|
| code-review | For full code review including non-security concerns |
| review-architecture | When security issues stem from architectural problems |
| review-migration | When reviewing migration security (data exposure, constraints) |
| security-review-process (from ruby-core-skills) | Process discipline: OWASP checklist, Ruby-level security concerns |
npx claudepluginhub igmarin/rails-agent-skillsAudits code for vulnerabilities using OWASP checklist on injection, authentication, authorization, secrets, input validation, configuration, dependencies, and cryptography risks.
Audits web applications and REST APIs for OWASP Top 10 vulnerabilities including broken access control, authentication failures, data protection, and configuration issues. Use when reviewing code, auth/authz, APIs, or before deployment.
Audits web applications and REST APIs for OWASP Top 10 vulnerabilities including broken access control, authentication failures, data protection, and configuration issues. Use when reviewing code, auth/authz, APIs, or before deployment.