Agent Skills: What They Are and How to Write Them Well

Agent skills are becoming the packaging layer for serious agent work.

They sit between a one-off prompt and a full application. A good skill gives an agent enough domain knowledge, instructions, examples, and implementation support to perform a repeatable job without stuffing every detail into the system prompt.

That sounds simple. In practice, it is one of the most important design surfaces in an agent runtime.

A skill can make an agent consistent, observable, and easier to review. It can also create hidden state, overlapping behavior, security blind spots, and brittle prompts that decay after two product changes.

This guide defines what a skill is, how it differs from a tool call or workflow step, and how to design skills that still make sense after the first demo.

A Precise Definition

An agent skill is a packaged capability that teaches an agent how to perform a class of tasks.

The package usually includes four parts:

1. A name that lets the runtime or model identify the capability.
2. An activation description that explains when the skill should be used.
3. An instruction body that tells the agent how to perform the work.
4. Optional supporting files such as scripts, templates, examples, schemas, or reference docs.

In systems that use SKILL.md, the markdown file is the skill’s contract. It carries the activation trigger and the operational instructions. Supporting files can hold heavier references so the agent reads them only when the task actually needs them.

That progressive shape matters. If every capability lives in the system prompt, the agent pays the token and attention cost on every task. A skill lets the runtime keep most capability detail outside the active prompt until the model needs it.

The short version:

Concept	What it is	Best use
Prompt	A direct instruction for one interaction	One-off guidance, examples, local tone
Tool	A callable function or external action	Deterministic operations with typed inputs and outputs
Workflow step	One stage in a larger process	Sequencing, approval gates, handoffs
Skill	A reusable capability package	Repeatable domain work that combines instructions, references, and sometimes code

A skill is not just a longer prompt. It is a deployable unit of agent behavior.

Skill vs Tool Call

A tool call is an action.

It might search a database, create a ticket, run a test, fetch a URL, or write a file. Good tools have explicit schemas, clear permissions, and predictable outputs. The agent decides when to call the tool and with which arguments.

A skill is the knowledge of how to do a job.

For example, a security-review skill might instruct the agent to map data flows, check authentication boundaries, inspect dependency changes, look for unsafe rendering sinks, and produce findings in a specific format. That skill might use many tools: file search, dependency audit, test runner, static analysis, and ticket creation.

The tool is the instrument. The skill is the procedure.

This distinction prevents a common design mistake: turning every skill into a thin wrapper around one tool. If the only thing a skill does is call runAudit(projectId), it may not need to be a skill. It may just be a tool with a good schema.

Skills become valuable when the agent needs judgment, sequencing, context loading, fallback behavior, or domain-specific review criteria.

Skill vs Workflow Step

A workflow step is position in a process.

For example:

1. Plan the change.
2. Implement the patch.
3. Run tests.
4. Security review.
5. QA verification.
6. Release.

A skill can be used inside any of those steps. A blog-authoring skill might operate during implementation. A security-review skill might operate during review. A release-notes skill might operate after deployment.

The workflow owns state and order. The skill owns capability.

Confusing the two creates brittle systems. If a skill assumes it is always the third step in a workflow, it becomes hard to reuse. If a workflow embeds every detail of how to perform code review, it becomes hard to improve that review logic across teams.

Keep the contract clean:

• Workflow: “When should this happen?”
• Skill: “How should this class of work be done?”
• Tool: “What exact action can be executed?”

That separation is especially important in multi-agent systems where different personas, teams, or runtimes share the same capability library.

The Lifecycle: Author, Review, Version, Deploy, Retire

Skills need lifecycle discipline because they change agent behavior.

Treat them more like product code than prompt snippets.

1. Author

Authoring starts with scope.

A good skill has a narrow job and a clear trigger. It should answer three questions immediately:

• What tasks should activate this skill?
• What tasks should not activate it?
• What output should the agent produce?

The activation text is part of the interface. If it is vague, the model may invoke the skill too often, too late, or alongside another overlapping skill.

Bad trigger:

Use this skill for engineering work.

Better trigger:

Use this skill when reviewing a pull request for security risks, including authentication, authorization, input validation, unsafe rendering, secrets exposure, dependency changes, and data leakage.

That second version gives the runtime and model a meaningful decision boundary.

2. Review

Skill review should cover behavior, security, and maintainability.

Reviewers should ask:

• Does the trigger overlap with existing skills?
• Does the skill ask for tools it does not need?
• Does it depend on hidden environment state?
• Does it define failure behavior?
• Does it create artifacts that can be audited later?
• Does it include enough examples to stabilize output?

Review is where many skill libraries either become durable or become a pile of clever prompts.

The dangerous part is that a broken skill may still appear to work. It can produce fluent output while quietly skipping edge cases, swallowing errors, or choosing an unsafe fallback.

3. Version

Version skills when their behavior changes in a way that downstream users or workflows can observe.

Examples:

• The output format changes.
• The skill starts using a new tool.
• The activation trigger expands or narrows.
• A required environment variable is added.
• The skill’s review checklist changes.

You do not need ceremony for every wording improvement. But you do need a way to answer, “Which version of this skill produced this artifact?”

That is the bridge from convenience to governance.

In an enterprise agent platform, skill version should be part of the execution record alongside model, prompt, tools, user, repository, branch, and commit.

4. Deploy

Deployment is not just copying a markdown file into a directory.

Deployment should confirm:

• The skill loads in the target runtime.
• Required files are present.
• Referenced scripts are executable where expected.
• Tool permissions match the skill’s stated needs.
• Example tasks produce expected outputs.
• Observability hooks capture activation and failure events.

Skills that contain code-side helpers should be deployed with the same caution as any internal automation. If a script can touch files, call APIs, or run shell commands, the skill is part of your software supply chain.

5. Retire

Retirement is part of lifecycle design.

A stale skill is worse than no skill because it gives the agent confident but outdated instructions.

Retire a skill when:

• A product workflow changes and the old instructions no longer match reality.
• Two skills now cover the same job.
• A safer tool or runtime capability replaces the skill.
• The skill depends on an API, package, or file layout that no longer exists.

Keep a short retirement note. Future agents and reviewers should understand whether the skill was replaced, merged, or intentionally removed.

Best Practice 1: Design the Interface First

The interface is not only a JSON schema. For a skill, the interface includes trigger language, inputs, required context, allowed outputs, and failure modes.

A useful skill interface states:

• Activation: when to use it.
• Inputs: what the agent must know before acting.
• Context loading: which files, docs, or resources to inspect.
• Tools: which external actions are expected.
• Output: the final artifact format.
• Failure: what to do when prerequisites are missing.

If you cannot describe those boundaries, the skill is not ready.

For example, a blog-authoring skill might require:

• Topic and target audience.
• Required word count.
• Frontmatter schema.
• Internal-link targets.
• Existing posts to avoid cannibalizing.
• Validation commands.
• Mirror-file rules.

Without that interface, the agent may write good prose that fails the build, duplicates an existing article, or misses the legacy mirror file that a sitemap script still depends on.

Best Practice 2: Make Skills Idempotent

Idempotency means the skill can run more than once without corrupting the result.

This matters because agents retry. They resume after interruptions. They receive partial state from previous sessions. They may be asked to fix a QA rejection on an artifact that already exists.

An idempotent skill:

• Checks whether the target artifact already exists.
• Reads existing content before updating it.
• Uses stable anchors for edits.
• Avoids appending duplicate sections.
• Can explain what it changed and what it left alone.

For content work, that means reading the current MDX before adding a new section. For infrastructure work, it means checking whether a policy, route, or migration already exists. For ticket workflows, it means recognizing a linked follow-up issue instead of filing another copy.

Idempotency is how skills survive real operations.

Best Practice 3: Treat Error Surfaces as Product

A skill should say what failure looks like.

Too many skills explain the happy path and leave errors to improvisation. That creates the worst kind of agent behavior: confident fallback.

Define errors explicitly:

• Missing prerequisite: stop and ask for the required input.
• Ambiguous scope: present candidates instead of guessing.
• Tool failure: report the failing operation and the underlying error.
• Partial write: preserve current state and describe recovery.
• Validation failure: list the exact command and error that failed.

The model should not have to invent these rules under pressure.

Error surfaces are also user experience. A good failure tells the next operator where to look, what was attempted, and what state the system is in.

Best Practice 4: Add Observability Hooks

If a skill changes agent behavior, the runtime should be able to observe it.

At minimum, capture:

• Skill name.
• Skill version.
• Activation reason.
• Inputs or input references.
• Tools called during the skill.
• Artifacts created or modified.
• Validation commands.
• Final status.
• Errors and retries.

This is where agent skills connect directly to AI observability. You cannot improve, debug, or govern a skill library if you cannot see which skills were used and what they did.

Observability also helps detect overlap. If two skills keep activating for the same task class, your library has a boundary problem.

Best Practice 5: Build Evaluation Coverage

Evals are how you keep a skill from decaying.

A practical eval set should include:

• Happy path tasks.
• Empty or underspecified inputs.
• Ambiguous requests.
• Boundary cases.
• Tool failures.
• Security-sensitive examples.
• Regression examples from real incidents.

For a documentation skill, an eval might verify that the output uses the required template, includes no unsupported claims, and links to the right canonical pages.

For a code-review skill, an eval might include a pull request with a hardcoded secret, an unsafe SQL string, a harmless dependency bump, and an authorization bug hidden behind clean formatting.

For a deployment skill, an eval might simulate a failed push, missing environment variable, and partial rollout state.

The key is not to test whether the model can write impressive text. The key is to test whether the skill preserves the system’s invariants.

Anti-Pattern Catalog

Anti-pattern	What it looks like	Why it fails	Better pattern
Hidden state dependency	”Use the usual repo path” or “deploy to the standard account”	The skill only works for the author and breaks in a fresh workspace	Declare required paths, env vars, accounts, and discovery steps
Two skills, same job	security-review and secure-code-review both activate on PR review	The model may choose inconsistently or blend conflicting instructions	Merge them or define strict boundaries
Tool wrapper masquerading as skill	A skill that only says “call this one function”	Adds prompt overhead without capability design	Make it a tool with a schema
No failure mode	The skill describes only the successful path	The agent invents fallback behavior when tools fail	Define stop, retry, rollback, and escalation rules
Swallowed errors	”If the command fails, continue”	Produces artifacts that look complete but were never verified	Log the operation, underlying error, and recovery state
Prompt bloat	The skill includes every reference document inline	High token cost and lower attention on the current task	Use progressive disclosure with references loaded only when needed
Unbounded scope	”Use for all marketing work”	Activates too often and competes with narrower skills	Narrow the trigger to a concrete task family
No evals	Skill quality is judged by one demo output	Regressions are discovered by users	Maintain task fixtures and expected properties
No version trail	Skill changes overwrite history	You cannot explain why two artifacts differ	Track version and record it in execution logs
Unsafe code helpers	Skill scripts can call networks or mutate files without review	Skills become an unreviewed automation supply chain	Review helpers like code, scope permissions, and log executions

Worked Example 1: A Blog Authoring Skill

Suppose a team publishes technical SEO articles through Astro MDX.

The skill should not merely say, “Write a good blog post.”

It should encode the actual publishing contract:

• Read the topic and acceptance criteria.
• Search existing posts for overlap.
• Choose a slug that does not collide.
• Use the required frontmatter fields.
• Keep seoTitle and seoDescription under schema caps.
• Include durable internal links.
• Avoid unsupported claims.
• Mirror the post into the legacy content directory if sitemap tooling still reads it.
• Run build validation.

The skill’s failure behavior should also be explicit:

• If the topic overlaps an existing post, stop and explain the distinction.
• If the source requires current vendor facts, verify primary docs before drafting.
• If validation fails, fix the schema or content issue before committing.

This is a good skill because it packages domain-specific publishing behavior that a generic writing prompt would miss.

It also stays separate from tools. The skill may use file search, web browsing, a markdown parser, and a test runner, but none of those tools is the skill.

Worked Example 2: A Dependency Remediation Skill

A dependency remediation skill handles a repeated engineering task: fix a security or audit finding without destabilizing the application.

The interface might require:

• Package manager.
• Current audit output.
• Lockfile state.
• Runtime engine constraints.
• Test command.
• Build command.
• Risk tolerance for major upgrades.

The skill’s plan could be:

1. Reproduce the audit finding.
2. Identify the shortest compatible upgrade path.
3. Avoid major-version jumps unless necessary.
4. Update package and lockfile together.
5. Run focused tests, full tests, audit, and build.
6. Log residual warnings separately from blocking vulnerabilities.

The idempotency rule matters here. If the package is already upgraded, the skill should verify the state rather than applying another random version bump.

The security rule matters too. A dependency skill should never silence an audit by moving a vulnerable package into devDependencies, excluding it from checks, or pinning a fork without review.

This is exactly the type of skill that benefits from observability. Leaders need to know which dependency was changed, why, what tests proved, and whether any compliance finding was linked.

Worked Example 3: A Persona Handoff Skill

In a multi-persona system like VibeFlow, different agents may represent product, architecture, implementation, security, QA, and customer perspectives.

A persona handoff skill helps one agent prepare work for another.

The skill should define:

• What context must be summarized.
• Which artifacts must be linked.
• What status transition is allowed.
• What open questions should be preserved.
• What evidence the next persona needs.

For example, an implementation agent handing to QA should include:

• Work item ID.
• Commit hash.
• Files changed.
• Acceptance criteria.
• Test commands and results.
• Known non-goals.
• Areas QA should inspect manually.

That is not just a courtesy. It is operational continuity.

Without a handoff skill, each agent has to reconstruct the story from raw diffs and logs. With a good skill, the next persona starts with the right evidence and can spend more time verifying behavior.

This is where skills become governance infrastructure rather than convenience prompts.

Security Rules for Skill Libraries

Skills are operational text. They shape what an agent believes it should do.

That makes them part of the supply chain.

Security review should cover:

• Activation triggers that could be manipulated.
• Instructions that override project policy.
• Scripts that execute shell commands.
• Network calls to third-party services.
• Secrets handling.
• Data exfiltration paths.
• Permission scope.
• Output sinks such as HTML, SQL, shell, and files.

The more powerful the skill, the more boring its permissions should be.

A skill that writes code should not automatically deploy. A skill that reads customer data should not also call external enrichment APIs. A skill that handles secrets should never log raw inputs.

Skills should also avoid policy laundering. If the project requires human approval for destructive operations, a skill must not rephrase the task as “cleanup” and bypass the gate.

How Skills Fit With Tools, Prompts, and Protocols

The modern agent stack is becoming layered.

Reusable prompts capture common interaction patterns. Tools expose typed actions. Protocols such as MCP standardize how agents discover and call external capabilities. Agent SDKs add handoffs, tracing, guardrails, and runtime orchestration. Skills sit across those layers as packaged task knowledge.

That is why skill design should reference the surrounding runtime, not ignore it.

Useful primary references include:

• Claude Skills documentation, which describes skills as packages with a SKILL.md file and optional supporting resources.
• OpenAI Agents SDK tracing documentation, which is useful for thinking about execution traces across model calls, tool calls, handoffs, and guardrails.
• Model Context Protocol concepts, which separates tool-like executable actions from other context surfaces.

The exact file format will vary by runtime. The engineering principle is stable: put reusable domain behavior in a package with a clear interface, reviewable instructions, observable execution, and testable outcomes.

A Practical Skill Template

Use this structure as a starting point:

---
name: focused-skill-name
description: Use when the agent must perform one specific class of repeatable work.
---

# Purpose

What this skill does and what it does not do.

# Inputs

Required information before starting.

# Context to Load

Files, docs, schemas, examples, or systems to inspect first.

# Procedure

Numbered steps with decision points and stop conditions.

# Output

Expected artifact shape, summary format, or status transition.

# Failure Modes

What to do when inputs are missing, tools fail, validation fails, or scope is ambiguous.

# Verification

Commands, checks, evals, and properties that prove the work is complete.

The most important section is often “what this skill does not do.” Negative scope prevents overlap.

The Review Checklist

Before deploying a skill, ask:

• Is the trigger narrow enough?
• Is the output format explicit?
• Are prerequisites stated?
• Are tools and permissions minimal?
• Are failure modes defined?
• Is the skill idempotent?
• Does it cite or load current references for time-sensitive claims?
• Does it avoid overlapping existing skills?
• Does it log enough evidence for review?
• Is there an eval set?
• Is there a retirement path?

If the answer is no, the skill may still be useful as a draft. It is not ready to be shared across teams.

The Bottom Line

Agent skills are how organizations turn repeated agent work into reusable operating capability.

The best skills are not clever prompts. They are small, reviewable packages with explicit boundaries, stable interfaces, observable execution, and clear failure behavior.

That is the difference between an agent that performs well once and an agent system that can be governed over time.

Treat skills as product code for agent behavior. Name them carefully. Scope them tightly. Version them. Test them. Retire them when they no longer match reality.

Do that, and skills become one of the cleanest abstractions in the agent stack: lighter than a full application, stronger than a prompt, and precise enough for real enterprise workflows.