
from igmarin
Performs a focused security audit of Ruby on Rails applications: auth/authz checks, parameter handling, query safety, output encoding, file handling, and secret
The Security Check skill provides a structured security-audit workflow for Ruby on Rails codebases. It guides an agent through prioritized inspections (authentication & authorization first, then parameter handling, query safety, output encoding, file handling/network calls, and secrets/logging). The skill enforces a HARD-GATE ordering so that auth/authz findings are reported first and requires explicit "No issues found" statements where appropriate. Outputs are checklist-style findings with severity, attack path, affected file hints, and minimal mitigations.
Use this skill when reviewing Rails controllers, models, background jobs, or deployment artifacts for security issues. It's appropriate for post-PR reviews, pre-release audits, or triage of reported vulnerabilities. Trigger it when the input mentions Rails, controllers, params, SQL, file uploads, credentials, or security review.
Best used by code-aware assistants that can parse code snippets or repository context (Code-capable LLMs: Copilot/Code, Claude Code, Gemini code-focused agents).
Security-check is a pure-prompt security scanning suite that instructs AI agents to perform a 4-phase pipeline (Recon→Hunt→Verify→Report) covering 48 OWASP skills and 7 language-specific scanners. No bundled scripts — relies entirely on the agent's natural language capabilities. The SKILL.md is well-structured with clear triggers and a comprehensive skill taxonomy, but lacks error handling guidance, output format contracts beyond directory structure, and has no programmatic verification. Security score reduced for instructing agents to perform penetration testing and active scanning which could be misused without proper guards; no hardcoded secrets or destructive commands found.
Well-organized SKILL.md with good frontmatter. The 48-skill taxonomy is impressive but the actual depth of each check depends on the agent's knowledge — no checklists or reference files are bundled. The claim of '3000+ checklist items' and '7 language-specific deep scanners' isn't backed by any included data files. Would benefit from references/ directory with actual checklist content.