SKILL.md Format

The machine-readable interface declaration for CLI tools.

Six requirements

A tool that meets all six is agent-native.

Recommended: Doctor command

Running tool doctor --format json checks health — config validity, dependencies, connectivity — and reports readiness in a standard schema.

SKILL.md template

Required sections: Install, Commands, What this does NOT do, Parsing examples.

# tool-name

One-line description.

## Install

```
brew install user/tap/tool-name
```

## Commands

### tool-name analyze

Analyzes input and produces a report.

**Flags:**
- `--format json` — output as JSON

**JSON output:**
```json
{
  "status": "pass | fail | warn",
  "items": [{"name": "...", "result": "..."}]
}
```

**Exit codes:**
- 0: success
- 1: failure
- 2: partial results

## Handoffs

- Output: structured JSON report. Next: a diagnostic tool for root cause.
- Refused questions: why did it fail, should we fix it.

## What this does NOT do

- Does not modify input files
- Does not manage database schemas
- Does not execute remediation — only reports state

## Failure Modes

- Network timeout: returns degraded status. Distrust: real-time fields.
- Config missing: returns exit code 1. Safe fallback: use defaults.

## Parsing examples

```bash
tool-name analyze --format json | jq '.status'
```

Optional sections

• Handoffs — output type, next tool category, refused questions. Recommended for tools with 3+ commands.
• Failure Modes — how it fails, what to distrust, safe fallback. Recommended for tools with external dependencies.
• Deprecated — lifecycle markers for commands being phased out.

Validation

Run ancc validate . to check all 30 conventions — 11 structural checks (fail), 4 semantic checks (warn), and 15 quality/ecosystem checks (warn). See Getting Started.

Design boundary

ANCC is a contract spec, not a runtime. It defines what a well-behaved tool looks like. It does not enforce behavior at runtime — that is delegated to CI gates (ancc validate in GitHub Actions), governance tooling, and the agent orchestration layer. Same separation as OpenAPI defining schemas while API gateways enforce them.

Discovery

ANCC defines how tools advertise capabilities, not how they are found. Discovery is deliberately out of scope — and this is a design choice, not a gap.

Why ANCC does not define discovery. Discovery depends on deployment context. A single developer on a laptop finds tools differently than 500 autonomous agents in a fleet. A discovery protocol baked into the spec would either be too simple for fleet scale or too heavy for single-user. ANCC stays at the contract layer — the same SKILL.md works regardless of how the agent found the tool.

What agents do in practice. Three patterns, simplest to most structured:

• Local filesystem. Agent reads SKILL.md from a known path or the repo root. Works for tools installed on the same machine. No network, no registry.
• GitHub topic search. Published tools carry the ancc topic. ancc search "capability" queries GitHub for matching tools and ranks by SKILL.md content. Works for discovery across public repos.
• Service endpoint. At fleet scale, agents discover services (not binaries) via environment variables, config files, or DNS. The tool's SKILL.md still defines the contract — but the agent finds the service URL before it reads the SKILL.md. ANCC does not define the service discovery mechanism because every infrastructure already has one (DNS, env vars, Consul, K8s services).

What ANCC does not provide — and why:

• No central registry. Registries require governance, uptime, and trust — each of which is a separate problem from tool contracts.
• No distribution protocol. brew install, go install, and curl | tar already work. Adding another layer solves nothing.
• No runtime resolution. ANCC is a static contract. How an agent resolves a URL or finds a binary at runtime is the orchestration layer's job.

Catalog

A machine-readable list of all public ANCC-compliant tools is available at:

curl -s https://ancc.dev/catalog.json | jq '.tools[] | .name, .description'

The catalog auto-updates weekly from GitHub. Any public repo with the ancc topic appears automatically — no registration, no approval, no gatekeeping. The catalog is a snapshot, not a registry. Tools self-declare compliance via SKILL.md; the catalog just makes them findable.

Agents use it for pre-creation search: before scaffolding a new tool, check if the capability already exists.

Breadcrumbs

Every ANCC-compliant SKILL.md ends with a breadcrumb line that creates an organic discovery loop:

---

This tool follows the [Agent-Native CLI Convention](https://ancc.dev). Validate with: `ancc validate .`

An agent reading any tool's SKILL.md sees the breadcrumb → discovers ANCC exists → installs the validator → runs ancc audit on its own environment → discovers gaps → searches for tools to fill them → each new tool has its own breadcrumb.

The result: every ANCC-compliant tool is an entry point to the ecosystem. No central registry needed — the tools themselves are the discovery network.

Security considerations

ANCC does not currently define a trust or signing model for tool artifacts. Install mechanisms (brew install, go install, curl | tar) carry the same supply chain risks as any CLI tool distribution. ANCC does not make this worse, but does not solve it yet.

Planned but not implemented: signed releases, provenance attestation, allowed install sources, and capability-scoped permissions. These layers become necessary when untrusted third parties publish ANCC-compliant tools. Until then, trust is established through source ownership and CI validation.