Rails TDD Standards
PassAudited by ClawScan on May 1, 2026.
Overview
This is an instruction-only Rails testing guide with no code or credentials, but a few examples should be applied only in the intended test, CI, or explicitly approved security context.
This skill appears safe to install as an instruction-only Rails/RSpec guide. Before following its examples, make sure database commands are limited to test or CI environments and review any security-related Rails changes, such as forgery-protection settings, before applying them to application code.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied or run in the wrong environment, a database setup command could affect application data or schema state.
The skill includes an executable Rails database setup command. It is clearly presented as CI/test setup, which fits the stated testing purpose, but it changes the test database schema and should not be run against non-test environments.
- run: bundle exec rails db:schema:load RAILS_ENV=test
Keep this command limited to CI or RAILS_ENV=test, and confirm with the user before making database-related workflow changes.
An agent could suggest or apply a CSRF/forgery-protection change too broadly if the user does not review the context.
The skill labels disabling Rails forgery protection as the Rails 8 pattern. This may be legitimate in specific test or API contexts, but the snippet is security-sensitive and not scoped in the visible text.
# ✅ Rails 8 skip_forgery_protection
Only use this pattern when the user explicitly wants that behavior and the target context is appropriate; do not apply it as a generic fix in production-facing controllers.