Automatically validates security best practices and prevents vulnerabilities
View on GitHubFebruary 2, 2026
Select agents to install to:
npx add-skill https://github.com/nbarthel/claudy/blob/5d4dc823a5e5605f0d8d004b6c8c97778d6b1b16/plugins/rails-workflow/skills/rails-security-patterns/skill.md -a claude-code --skill rails-security-patternsInstallation paths:
.claude/skills/rails-security-patterns/# Rails Security Patterns Skill
Auto-validates security best practices and blocks common vulnerabilities.
## What This Skill Does
**Automatic Security Checks:**
- Strong parameters in controllers (prevents mass assignment)
- SQL injection prevention (parameterized queries)
- CSRF token handling (API mode considerations)
- Authentication presence
- Authorization checks
**When It Activates:**
- Controller files created or modified
- Model files with database queries modified
- Authentication-related changes
## Security Checks
### 1. Strong Parameters
**Checks:**
- Every `create` and `update` action uses strong parameters
- No direct `params` usage in model instantiation
- `permit` calls include only expected attributes
**Example Violation:**
```ruby
# BAD
def create
@user = User.create(params[:user]) # ❌ Mass assignment
end
# GOOD
def create
@user = User.create(user_params) # ✅ Strong params
end
private
def user_params
params.require(:user).permit(:name, :email)
end
```
**Skill Output:**
```
❌ Security: Mass assignment vulnerability
Location: app/controllers/users_controller.rb:15
Issue: params[:user] used directly without strong parameters
Fix: Define strong parameters method:
private
def user_params
params.require(:user).permit(:name, :email, :role)
end
Then use: @user = User.create(user_params)
```
### 2. SQL Injection Prevention
**Checks:**
- No string interpolation in `where` clauses
- Parameterized queries used
- No raw SQL without placeholders
**Example Violation:**
```ruby
# BAD
User.where("email = '#{params[:email]}'") # ❌ SQL injection
User.where("name LIKE '%#{params[:query]}%'") # ❌ SQL injection
# GOOD
User.where("email = ?", params[:email]) # ✅ Parameterized
User.where("name LIKE ?", "%#{params[:query]}%") # ✅ Safe
User.where(email: params[:email]) # ✅ Hash syntax
```
**Skill Output:**
```
❌ Security: SQL injection vulnerability
Location: app/models/user.rb:45
Issue: String interpolation in SQL query
Vulnerable code:
U