Skills
skills/kaakati/rails-enterprise-dev/Action Cable & WebSocket Patterns/Gen Agent Trust Hub

Action Cable & WebSocket Patterns

Pass

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: LOWSAFE
Full Analysis
  • [GENERAL_SECURITY] (LOW): Documentation in references/deployment.md recommends config.action_cable.disable_request_forgery_protection = true. This is a best practice violation that disables protection against Cross-Site WebSocket Hijacking (CSWSH), relying solely on origin checks which can be misconfigured.
  • [DATA_EXPOSURE] (LOW): The authentication patterns in SKILL.md and references/javascript-consumers.md demonstrate passing sensitive JWTs in URL query strings (?token=...). This is a security anti-pattern as tokens in URLs are frequently exposed via browser history, server logs, and HTTP Referer headers.
  • [SAFE] (INFO): The core instructions in SKILL.md demonstrate a strong security-first mindset, specifically the 'Authorization First' principle and the use of as_json(only: [...]) to ensure only intended data fields are broadcast to clients.
Audit Metadata
Risk Level
LOW
Analyzed
Feb 16, 2026, 10:20 AM