Agent Skills for Large Language Models: Architecture, Acquisition, Security, and the Path Forward

The transition from monolithic language models to modular, skill-equipped agents marks a defining shift in how large language models (LLMs) are deployed in practice. Rather than encoding all procedural knowledge within model weights, agent skills—composable packages of instructions, code, and resources that agents load on demand—enable dynamic capability extension without retraining. This comprehensive guide explores the rapidly evolving landscape of agent skills for LLMs, covering architectural foundations, skill acquisition methods, deployment patterns, and critical security considerations that will shape the future of agentic AI systems.

According to a landmark survey by researchers at Zhejiang University (Xu & Yan, 2026), the agent skills paradigm has achieved remarkable adoption since its formalization in late 2025. Within four months of Anthropic’s open standard release, the skills repository accumulated over 62,000 GitHub stars, with partner-built skills from major platforms including Atlassian, Figma, Canva, Stripe, and Notion. This rapid convergence reflects a broader industry recognition that standardized mechanisms for packaging, distributing, and governing procedural expertise are essential for production-grade AI deployment.

Understanding Agent Skills: From Prompt Engineering to Skill Engineering

The evolution toward agent skills can be understood as a progression through three distinct paradigms of LLM capability extension. Prompt engineering (2022–2023) demonstrated that carefully crafted instructions could elicit impressive zero-shot and few-shot behaviors, but prompts are ephemeral, non-modular, and difficult to version or share. Tool use and function calling (2023–2024) enabled models to invoke external APIs, but each tool is atomic—a single function with defined inputs and outputs that executes and returns without reshaping the agent’s understanding of a task.

Skill engineering (2025–present) introduces a higher-order abstraction. A skill is a bundle that can include instructions, workflow guidance, executable scripts, reference documentation, and metadata, all organized to be dynamically loaded when relevant. The key insight is that many real-world tasks require not a single tool call but a coordinated sequence of decisions informed by domain-specific procedural knowledge. A PDF-processing skill, for example, does not merely expose a “fill form” function; it teaches the agent how to approach PDF manipulation, which libraries to use, what edge cases to handle, and what code to execute.

Several foundational works anticipated this paradigm. Voyager introduced a skill library for embodied agents in Minecraft, while CREATOR and Large Language Models as Tool Makers explored LLMs creating their own tools. However, the current agent skills paradigm emphasizes human-authored, portable, and governed skill packages designed for production deployment across heterogeneous agent platforms.

The SKILL.md Architecture and Progressive Disclosure

At the core of every agent skill is a directory containing a SKILL.md file with YAML frontmatter that specifies a name and description. The defining architectural innovation is a three-level progressive disclosure system that minimizes context window consumption while maintaining access to arbitrarily deep procedural knowledge.

Level 1: Metadata (always loaded) consists of approximately 30 tokens per skill drawn from the YAML frontmatter, pre-loaded in the system prompt at startup. This enables large skill libraries without context penalty. Level 2: Instructions (loaded on trigger) injects the full SKILL.md body (200–2,000 tokens) when a user request matches the skill’s description, modifying the agent’s execution context. Level 3: Resources (dynamic loading) includes scripts, reference documents, and assets loaded only when explicitly called by Level 2 instructions, with unbounded context cost managed through on-demand access.

As the original Anthropic engineering team articulated: building a skill is “like putting together an onboarding guide for a new hire.” Level 1 serves as a table of contents; Level 2 provides the chapter content; Level 3 supplies the technical appendices. This architecture allows a single agent to host hundreds of skills with minimal context overhead.

Skill Execution Lifecycle and Agent LLM Integration

When a user request matches a skill’s description, the agent triggers a two-phase execution process that fundamentally differs from traditional function calling. First, the skill’s instructions and any required resources are injected into the conversation context as a hidden meta message—visible to the model but not rendered in the user interface. Second, the agent’s execution context is modified: pre-approved tools are activated, and the agent proceeds with the enriched context to complete the task.

Critically, agent skill execution modifies the agent’s preparation, not its output directly. This distinguishes skills from function calls, where the tool produces a result. A skill reshapes what the agent knows and can do before it generates its response, enabling more sophisticated multi-step reasoning and task completion that would be impossible with atomic tool calls alone.

The Agentic Stack: How Skills and MCP Work Together

The Model Context Protocol (MCP), launched in November 2024 and donated to the Linux Foundation’s Agentic AI Foundation in December 2025, provides a complementary layer to agent skills. MCP standardizes how agents connect to external data sources and tools via a JSON-RPC 2.0 protocol with three primitives: tools (model-invoked functions), resources (application-controlled data), and prompts (user-invoked templates).

Skills and MCP are not competing standards but orthogonal layers of an emerging agentic stack. A skill might instruct the agent to use a particular MCP server, specify how to interpret its outputs, and define fallback strategies if the connection fails. Skills provide the procedural intelligence—the “what to do”—while MCP provides the connectivity—the “how to connect.” This separation of concerns enables a modular ecosystem where skills can be developed and shared independently of the underlying tool infrastructure.

Agent Skill Acquisition Methods: From Human-Authored to Autonomous

The survey identifies four primary methods for agent skill acquisition, each with distinct trade-offs between quality, scalability, and auditability. Human-authored skills represent the current production standard, exemplified by Anthropic’s Skills ecosystem with its 62,000+ GitHub stars. These skills offer maximum quality and auditability but limited scalability.

Reinforcement learning with skill libraries (SAGE) uses GRPO with sequential rollout to train agents that build and compose skill libraries, achieving an 8.9% improvement in success rate while reducing token consumption by 59%. Autonomous exploration (SEAgent) employs curriculum learning with a world model, improving success rates from 11.3% to 34.5% on OSWorld benchmarks. Compositional skill synthesis (Agentic Proposing) combines skill library access with graph-of-thought reasoning, achieving 91.6% on AIME 2025 mathematical benchmarks.

The most promising research direction lies at the intersection of acquisition and deployment: enabling agents to not only learn skills through experience but externalize them as portable, auditable artifacts that can be inspected, shared, and governed—bridging the gap between model-internal and human-authored skill paradigms.

Computer-Use Agents and Skill Deployment at Scale

The computer-use agent (CUA) stack has emerged as the primary deployment domain for agent skills, enabling LLMs to interact with graphical user interfaces through visual grounding and action execution. CUA-Skill demonstrates parameterized execution graphs that achieve 57.5% state-of-the-art performance on WindowsAgentArena, while UI-TARS-2 advanced GUI agent capabilities through multi-turn reinforcement learning.

Key advances in visual grounding—including UGround (ICLR 2025 Oral), GUI-Actor for coordinate-free grounding, and self-evolutionary reinforcement learning approaches—have dramatically improved the reliability of LLM agent interactions with real-world software. Benchmark progress on OSWorld, SWE-bench, and OS-Marathon demonstrates that performance levels considered aspirational just a year ago are now routine, with new challenges in skill composition and long-horizon task execution defining the next frontier.

Security Vulnerabilities in Agent Skills Ecosystems

Perhaps the most critical dimension of the agent skills landscape is security. Three concurrent empirical studies reveal significant vulnerabilities that demand immediate attention. Research by Liu et al. (2026) found that 26.1% of community-contributed skills contain vulnerabilities, spanning four primary attack categories.

Prompt injection attacks exploit instruction-level vulnerabilities in SKILL.md files, embedding hidden commands that override the agent’s intended behavior. Data exfiltration attacks harvest API keys and tokens through referenced scripts, or steal source code and files through HTTP and DNS exfiltration channels. Privilege escalation attacks abuse tool scope expansion to gain unauthorized access. Supply chain attacks leverage dependency confusion and malicious packages to compromise the entire skill delivery pipeline.

The attack surface varies by architecture level: Level 1 (metadata) presents minimal risk limited to name spoofing; Level 2 (instructions) is high-risk for prompt injection; Level 3 (scripts) is critical-risk for arbitrary code execution. This layered threat model directly maps to the progressive disclosure architecture, highlighting the tension between capability and security in open skill ecosystems.

Trust Framework and Governance for Agent Skills Security

To address these security challenges, the survey proposes a Skill Trust and Lifecycle Governance Framework—a four-tier, gate-based permission model that maps skill provenance to graduated deployment capabilities. The framework defines four trust tiers: T1 (Unvetted/Sandboxed) allows instructions only with no tool access and full isolation; T2 (Community) grants read-only access; T3 (Organization-vetted) provides scoped access to approved resources; T4 (Vendor-certified) enables full capability deployment.

Each skill must pass through verification gates (G1–G4) based on its acquisition pathway, with runtime monitoring enabling trust evolution through promotion or demotion. This approach decouples trust decisions from binary accept/reject into graduated tiers that align permissions with provenance and verification depth. The principles of graduated trust mirror established patterns in software package management and app store governance, adapted for the unique challenges of procedural AI knowledge.

Open Challenges in Agent Skills for LLMs

The survey identifies seven critical open challenges that will shape the future of agent skills for large language models. Cross-platform skill portability requires standardized interfaces that allow skills written for one agent platform to work seamlessly on others. Skill composition and orchestration demands principled frameworks for multi-skill coordination, including conflict resolution, resource sharing, and failure recovery.

Capability-based permission models would replace the current implicit trust model with explicit permission declarations and grants for each skill. Skill verification and testing requires automated frameworks that confirm skills perform as claimed and nothing more—intersecting with AI safety and formal methods. Continual skill learning without catastrophic forgetting addresses whether dynamically loaded skills can inadvertently overwrite useful default model behaviors. Finally, improved evaluation methodology is needed to assess skill reusability, composability, and maintainability rather than merely task completion rates.

The Future of Modular AI: Agent Skills as Digital SOPs

The agent skills paradigm represents a fundamental shift from monolithic intelligence to modular expertise with far-reaching implications. For organizations, skills offer a mechanism to encode institutional knowledge in a form that survives personnel turnover—a digital analogue of standard operating procedures. For the AI ecosystem, open skill standards create network effects: every skill contributed to the commons increases the value of the platform for all users.

The skill ecosystem is currently in its “pre-governance” phase, and the decisions made in the coming months about verification pipelines, permission models, and trust hierarchies will shape its trajectory for years. The path forward requires simultaneous advances in skill learning algorithms that produce inspectable artifacts, robust permission models maintaining usability, evaluation frameworks assessing skill quality, and governance structures balancing openness with safety.

As agents move from research prototypes to production deployments, the convergence on standardized skill abstractions—evidenced by adoption across multiple frontier model providers—confirms that agent skills will be central to how humanity collaborates with AI systems in the years ahead. Understanding and engaging with these developments is essential for any organization seeking to leverage the full potential of large language models.

Explore This Research Interactively

This article synthesizes findings from the comprehensive survey “Agent Skills for Large Language Models” (Xu & Yan, 2026). For a deeper, interactive exploration of the concepts, frameworks, and benchmarks discussed here, experience the full research through Libertify’s interactive platform.