External Research Skill
Overview
This skill defines the mandatory methodology for conducting external research during planning and implementation phases. It ensures that all external knowledge is gathered from authoritative sources, properly validated, version-aware, and correctly cited.
Why External Research is Critical
The Problem with Model Memory
Large Language Models have knowledge cutoffs and can hallucinate API details, deprecated patterns, or incorrect version-specific behavior. Relying solely on model memory for technical implementation details is dangerous and unacceptable.
Common failure modes when relying on model memory:
| Failure Mode | Example | Consequence |
|---|---|---|
| Outdated APIs | Using componentWillMount in React 18 | Runtime warnings, deprecated code |
| Version Mismatches | Assuming FastAPI 0.100+ syntax in 0.95 project | Import errors, crashes |
| Hallucinated Methods | Inventing .toJSON() on objects that don't have it | Runtime errors |
| Security Vulnerabilities | Using outdated authentication patterns | Exploitable code |
| Incorrect Defaults | Wrong default parameter values | Subtle bugs |
| Missing Breaking Changes | Not knowing about API removals | Production failures |
The Solution: Verified External Research
By using external research tools, we:
- Get current, accurate information directly from official sources
- Verify version compatibility before writing any code
- Discover breaking changes that model memory doesn't know about
- Find security advisories and best practices
- Locate working code examples from official documentation
- Ensure correct API signatures with proper types and parameters
Research Capabilities
Your environment likely provides these capabilities (tool names vary by platform):
1. Web Search (e.g., search_web, @web, /web)
Purpose: Discover official documentation, changelogs, breaking changes, security advisories, RFCs, tutorials, and best practices.
When to Use:
- Starting research on any external library or framework
- Finding official documentation URLs
- Discovering recent changes, updates, or deprecations
- Locating security advisories or CVEs
- Finding community best practices and patterns
- Researching error messages or edge cases
Best Practices:
- Use specific, targeted queries (e.g., "FastAPI 0.110 authentication JWT" not just "FastAPI auth")
- Include version numbers when relevant
- Include the current year to filter out outdated content (see Time-Aware Searching below)
- Search for "[library] breaking changes [version]" when upgrading
- Search for "[library] security advisory" for security-sensitive code
- Use the
domainparameter to prioritize official sources (e.g.,domain: "fastapi.tiangolo.com")
⏰ Time-Aware Searching (Critical for Relevant Results):
Adding the current year dramatically improves search result relevance:
# Without year - may return outdated 2020-2023 content
"FastAPI JWT authentication"
# With year - prioritizes current best practices
"FastAPI JWT authentication 2026"
"React useEffect best practices 2026"
"Python security vulnerabilities 2026"
Why this matters:
- Libraries update frequently; old tutorials may use deprecated APIs
- Security recommendations evolve constantly
- LLM training data has cutoffs; searching with current year compensates
- Use the script
scripts/get_current_time.py --tipsfor query examples
Query Examples:
Good: "Next.js 14 app router server actions tutorial 2026"
Good: "React 18 useEffect cleanup async 2026"
Good: "Python 3.12 new features type hints"
Bad: "how to use react"
Bad: "javascript tutorial"
2. URL Fetching (e.g., read_url_content, WebFetch, URL Context)
Purpose: Fetch and read the actual content of documentation pages, specifications, guides, and reference materials discovered via search_web.
When to Use:
- After discovering relevant URLs via
search_web - Reading official API reference documentation
- Extracting code examples from documentation
- Validating that a URL contains the information you need
- Reading changelogs and migration guides
- Extracting specific parameter details, types, and signatures
Best Practices:
- Always read official documentation, not just search snippets
- Extract and note exact API signatures, not paraphrased versions
- Look for code examples you can adapt
- Note any warnings, caveats, or edge cases mentioned
- Check the documentation version matches your target version
- Read multiple sections if needed (installation, usage, API reference)
What to Extract:
- Exact function/method signatures with types
- Required vs optional parameters
- Default values
- Return types
- Exception/error types that can be raised
- Code examples (especially official ones)
- Version-specific notes or warnings
3. Documentation APIs (e.g., context7 MCP, library-specific APIs)
Purpose: Deep, version-aware framework, SDK, and API knowledge with authoritative context. Provides structured documentation queries with version-specific accuracy.
Tools Available:
mcp_context7_resolve-library-id: Resolves a library name to a Context7-compatible IDmcp_context7_query-docs: Queries documentation for a specific library
When to Use:
- When you need version-specific API details
- For deep framework knowledge (React, Next.js, FastAPI, etc.)
- When you need accurate, structured API information
- To verify patterns and best practices for specific versions
- When
search_webresults are too general or scattered
Best Practices:
- Always resolve the library ID first using
mcp_context7_resolve-library-id - Use specific, detailed queries (not just "how to use X")
- Include context about what you're trying to accomplish
- Reference the version you're targeting
- Use the returned code examples as authoritative references
Query Examples:
Good: "How to implement JWT authentication middleware in Express.js 4.x"
Good: "React 18 useEffect cleanup function for async operations"
Good: "FastAPI dependency injection with database sessions"
Bad: "auth"
Bad: "database"
Library ID Format: /org/project or /org/project/version
Examples:
/vercel/next.js/fastapi/fastapi/facebook/react/expressjs/express
Research Methodology
Step 1: Identify What Needs Research
Before writing any code that uses external libraries, APIs, or frameworks, identify:
- All external libraries/packages being used
- The exact versions of each library
- Specific features or APIs you'll be using
- Any integrations between libraries
- Security-sensitive operations (auth, crypto, etc.)
Step 2: Conduct Systematic Research
For each external dependency:
-
Resolve library ID (if using context7)
mcp_context7_resolve-library-id("fastapi", "How to create API endpoints with authentication") -
Query official documentation
mcp_context7_query-docs("/fastapi/fastapi", "JWT authentication with OAuth2PasswordBearer") -
Search for additional context
search_web("FastAPI 0.110 JWT authentication best practices", domain: "fastapi.tiangolo.com") -
Read and validate documentation
read_url_content("https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/")
Step 3: Document Your Findings
All research must be documented with:
- Source URL with section anchors where possible
- Version number the documentation applies to
- Key findings relevant to your implementation
- Code examples extracted from official sources
- Warnings/caveats mentioned in the documentation
What You MUST NOT Rely on Model Memory For
❗ NEVER assume model memory is accurate for:
| Category | Why It's Dangerous |
|---|---|
| Library APIs | Methods may be renamed, deprecated, or removed between versions |
| Function Signatures | Parameter names, types, and defaults change frequently |
| Version Compatibility | What works in v2.0 may not exist in v1.5 |
| Security Practices | Security recommendations evolve; old patterns become vulnerabilities |
| Framework Behavior | Internal behavior changes even when APIs look the same |
| Default Values | Defaults can change between versions, causing subtle bugs |
| Error Handling | Exception types and error formats change |
| Configuration Options | Config keys are added, renamed, or removed |
| Environment Variables | Expected env vars change between versions |
| Database Schemas | ORM/database patterns evolve significantly |
Research Validation Checklist
Before considering research complete, verify:
Discovery Validation
- All external APIs and libraries were discovered using search_web
- Official documentation URLs were located
- Version-specific documentation was identified
Content Validation
- All referenced documentation pages were read using read_url_content
- API signatures were extracted accurately (not paraphrased)
- Code examples were found and noted
Framework Validation
- Framework or SDK behavior was validated using context7 MCP where applicable
- Version-specific patterns were confirmed
- Any framework-specific gotchas were identified
Accuracy Validation
- Version numbers are explicitly stated for all dependencies
- No undocumented or assumed behavior exists in the plan
- All external knowledge has a citation
- Security implications were researched if applicable
Citation Format
All externally sourced knowledge MUST be cited in your plan or documentation.
Standard Citation Format
### Relevant Documentation
- [FastAPI Security - OAuth2 with JWT](https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/)
- Version: FastAPI 0.110+
- Key Content: OAuth2PasswordBearer implementation pattern
- Why Needed: Required for implementing secure token authentication
- Sourced via: search_web → read_url_content
- [React useEffect Reference](https://react.dev/reference/react/useEffect)
- Version: React 18.2
- Key Content: Cleanup function patterns for async operations
- Why Needed: Prevent memory leaks in component unmount
- Sourced via: context7 MCP
Version Context
Always include explicit version numbers:
✅ Good: "FastAPI v0.110 OAuth2PasswordBearer"
✅ Good: "React 18.2 useEffect cleanup"
✅ Good: "Next.js 14.1 App Router server actions"
❌ Bad: "FastAPI authentication"
❌ Bad: "React hooks"
❌ Bad: "Next.js routing"
Common Research Scenarios
Scenario 1: Implementing a New Feature with External Library
- Search for official documentation:
search_web("[library] official docs") - Resolve library ID:
mcp_context7_resolve-library-id("[library]", "[your goal]") - Query specific feature:
mcp_context7_query-docs("[library-id]", "[specific feature]") - Read installation/setup guide:
read_url_content("[docs-url]/getting-started") - Read API reference for your use case:
read_url_content("[docs-url]/api/[feature]")
Scenario 2: Upgrading a Dependency
- Search for changelog:
search_web("[library] changelog [version]") - Search for breaking changes:
search_web("[library] breaking changes [old-version] to [new-version]") - Search for migration guide:
search_web("[library] migration guide [version]") - Read migration documentation:
read_url_content("[migration-guide-url]")
Scenario 3: Security-Sensitive Code
- Search for security best practices:
search_web("[library] security best practices [year]") - Search for security advisories:
search_web("[library] CVE security advisory") - Query secure patterns:
mcp_context7_query-docs("[library-id]", "security authentication encryption") - Read security section of docs:
read_url_content("[docs-url]/security")
Scenario 4: Debugging/Error Research
- Search for the specific error:
search_web("[exact error message]") - Search for common causes:
search_web("[library] [error type] common causes") - Read GitHub issues if relevant:
read_url_content("[github-issue-url]") - Query documentation:
mcp_context7_query-docs("[library-id]", "[error context]")
Integration with Planning Phase
When using this skill during the planning phase (e.g., with the plan-feature workflow):
- Phase 3 of planning should leverage all three tools
- All documentation links in the plan should be sourced via these tools
- No API details should be assumed—they must be verified
- The implementation plan should include citations for all external knowledge
- Validation commands should include research validation as Level 0
Example Phase 3 Integration
### Phase 3: External Research & Documentation
> 📚 **Using External Research Skill**
**Research Conducted:**
1. **context7 MCP**: Queried `/vercel/next.js` for "App Router authentication patterns"
2. **search_web**: Searched "Next.js 14 middleware authentication JWT"
3. **read_url_content**: Read https://nextjs.org/docs/app/building-your-application/authentication
**Findings:**
- Next.js 14 uses middleware.ts for route protection
- JWT validation should happen in middleware, not in page components
- Server actions can access session via cookies() helper
**Citations:**
- [Next.js Authentication Docs](https://nextjs.org/docs/app/building-your-application/authentication) - v14.1
Quality Assurance
Signs of Good Research
✅ Specific version numbers mentioned ✅ Direct links to official documentation ✅ Exact API signatures extracted (not paraphrased) ✅ Code examples from official sources ✅ Warnings and caveats noted ✅ Multiple sources cross-referenced ✅ Clear citation trail (which tool found what)
Signs of Inadequate Research
❌ Vague statements like "according to the docs" ❌ No version numbers specified ❌ Paraphrased API signatures ❌ No direct documentation links ❌ Assumed behavior without verification ❌ Single source only ❌ No code examples referenced
Summary
External research is not optional—it is a mandatory requirement for producing reliable, maintainable, and secure code. The three tools (search_web, read_url_content, context7 MCP) work together to provide:
- Discovery (search_web) → Find where information lives
- Validation (read_url_content) → Read and extract actual content
- Deep Context (context7 MCP) → Get version-specific, structured knowledge
Always research. Always cite. Always verify. Never assume.