The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes a local Node.js script (spec-driven.js) using the node command to perform initialization tasks, such as creating the .spec-driven/ directory and regenerating index files. This execution is limited to local scripts provided within the skill's distribution.
[DATA_EXPOSURE]: Accesses local project metadata and documentation files, including package.json, README.md, and pom.xml, to extract project context. This access is necessary for the skill's primary function of project initialization and does not involve external network transmission.
[PROMPT_INJECTION]: The skill contains an indirect prompt injection surface as it ingests untrusted data from project files (e.g., README.md) to generate a project summary.
Ingestion points: Project documentation files (README.md, AGENTS.md, etc.) and configuration files (package.json, pom.xml) as specified in SKILL.md.
Boundary markers: Absent.
Capability inventory: Executes node shell commands and writes to local YAML configuration files.
Sanitization: No automated sanitization is described; however, the skill includes a mandatory human-in-the-loop step where the generated draft is presented to the user for review and adjustment before being finalized.

spec-driven-init