The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses the Bash tool and a helper script (scripts/find_next_adr_number.sh) to manage ADR numbering. The shell commands are limited to standard file system operations using find, sed, sort, and tail to identify the next sequential ADR number.
[EXTERNAL_DOWNLOADS]: The workflow incorporates WebSearch and WebFetch tools to gather technical context from external websites during the Research phase. These tools are used legitimately to populate the 'Context' and 'Alternatives' sections of the ADR files.
[REMOTE_CODE_EXECUTION]: No evidence of remote code execution. The included Python script (scripts/validate_adr.py) uses standard library modules for regex-based content validation and does not employ dynamic execution functions like eval() or exec().
[DATA_EXFILTRATION]: The skill does not access sensitive files (e.g., SSH keys, credentials) or attempt to transmit project data to untrusted external domains. Network activity is limited to inbound research queries.
[PROMPT_INJECTION]: While the skill processes untrusted data from the web via WebFetch, which constitutes an indirect prompt injection surface, the risk is inherent to its primary research purpose. The workflow maintains clear boundaries by directing this data into structured markdown sections (ADR.md) and persistent memory entities.

create-adr-spike