adr-skill
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- Local Script Execution: The skill utilizes several Node.js scripts (bootstrap_adr.js, new_adr.js, set_adr_status.js) to automate the creation and management of ADR files. These scripts rely on standard Node.js built-in modules (node:fs and node:path) to perform file system operations, keeping all processing local to the project repository.
- Structured Workflow and Intent Capture: The skill guides agents through a multi-phase process to capture architectural intent before drafting records. This workflow uses predefined templates and simple string manipulation for record generation, which is a common and safe pattern for documentation tools.
- Project Context Analysis (Indirect Prompt Injection Surface): As part of its initial phase, the skill instructs agents to scan existing documentation and repository configuration to gather context. (1) Ingestion points: Local ADR directories (e.g., docs/decisions/) and package manifest files. (2) Boundary markers: Markdown headings and structured template sections. (3) Capability inventory: Local file system read/write via skill-provided scripts; no network or arbitrary code execution. (4) Sanitization: Basic input validation and title slugification.
- Informational External References: The skill includes references to architecture standards such as MADR for informational purposes. These are provided as static markdown links within the templates and do not involve any automated network requests or remote script execution.
Audit Metadata