Agent Skills:从 SKILL.md 到受控持续学习与独立接纳
Agent skill 让程序化知识、脚本、模板和工具配方可以在模型权重之外被发现、加载和修改。这很有价值,也很容易被说得过头:一个更好的 skill 不等于模型自己变强;一个成功的自编辑也不等于递归自我改进。正确的研究对象是一个有来源、有权限、有测试、有回滚和独立接纳门的外部工件生命周期。
skill format != skill selection != skill execution != skill learning != skill acceptance。把这五层分开,才能知道收益来自内容、activation、harness、环境、评测器,还是只来自共享开发集的局部拟合。
1. Skill 是外部能力包,不是模型权重
Agent Skills specification 将 skill 定义为至少含有 SKILL.md 的目录,可附带 scripts、references 和 assets。其基本运行模式是 progressive disclosure:启动时只看 name/description,命中任务后加载主体说明,再按需读取资源。这提供了可移植、可版本化的接口,但格式本身不保证 skill 被正确选择、脚本安全、输出正确,或跨 agent/harness 一致有效。
| 对象 | 适合怎样表述 | 不能误写成 |
|---|---|---|
SKILL.md 指令与 metadata |
外部、可加载的程序化知识 | 基础模型权重更新 |
| script / reference / asset | skill 的可执行依赖或资源 | 已被 sandbox 或安全审查 |
| activation description | 选择该 skill 的检索/路由线索 | 正确的任务分类或权限授予 |
| skill revision | 对外部工件的受限优化 | executor 或 evaluator 已自我改进 |
| skill library | 可供 agent 选择的版本集合 | 具有未见任务迁移能力的证明 |
因此 “agent 学会了一个 skill” 至少可能指四件不同的事:固定 skill 被加载并帮助完成任务;agent 从轨迹提炼新 skill;curator 更新 skill repository;或基础模型通过 SFT/RL 改变参数。每一件都应单独报告,不能用一个 skill success 指标混写。
2. 让格式成为生命周期,而不只是一个文件夹
一个可审计 skill 至少需要从来源到退役的闭环:
| 生命周期阶段 | 最小记录 | 独立要问的问题 |
|---|---|---|
| Source / admission | author、license、source digest、依赖、review、风险级别 | 谁提供了它,内容或脚本是否可验证、可复现、可部署? |
| Catalog / selection | name、description、version、适用分布、activation decision | 是因任务匹配激活,还是误触发/漏触发? |
| Execution | input/output、tool/capability grant、resource digest、trace、side effect | 它实际做了什么,是否超出声明的权限? |
| Evaluation | task outcome、verifier、回归、成本、失败与 adversarial controls | 它是在未见任务上帮助,还是只复用了开发模板? |
| Revision | editable surface、diff、预测收益/风险、rejected edits、budget | 修改了什么,是否有可解释的反事实和回退? |
| Release / retirement | acceptance hash、target scope、expiry、revoke/rollback | 谁接纳、何时过期、出问题如何停止使用? |
格式中可选的 allowed-tools 是很有用的声明,但 specification 明确它仍是 experimental、支持程度因 client 而异。运行时 host 不能把一段 YAML 当作真正权限系统:每次调用仍要经过tool governance 的 capability grant、参数检查、sandbox 和独立 postcondition。
3. 已有证据说明什么,又没有说明什么
SkillsBench 用带 deterministic verifier 的多领域任务比较 no-skill、curated skill 与 self-generated skill。它支持“某些精心构造的外部 skill 可以改善指定 agent-task 配置”的结论,也报告效果在任务间有显著差异,部分任务反而下降;其中 self-generated skill 的平均结果并不自动优于 no-skill。SkillLearnBench 进一步研究持续 skill generation:在其真实任务 taxonomy 下,方法没有在所有任务和 LLM 上稳定领先,且它观察到只靠 self-feedback 会出现 recursive drift。
SkillOpt 将 skill 当作冻结 executor 之外的 text-space state,用有界 add/delete/replace edit、rejected-edit buffer 和严格 held-out validation 来做受控优化;这是对“skill artifact 可以被像优化对象一样训练”的重要预印本证据。SkillOS 将 frozen executor 与可训练 curator 分离,使 repository 的更新由跨任务经验驱动;MUSE-Autoskill 把 creation、memory、management、evaluation 和 refinement 组织为生命周期。这些工作提出并评测了各自设置的系统,不能由此推出任意自演化 skill library 都会持续进步、跨环境迁移或构成强 RSI。
4. 接纳一个 Skill Edit:像代码变更一样严谨
当 skill 可以由 agent 写入或修改时,最小可用协议不是“运行几次,分数更高就保存”,而是下面这条受控路径:
- 冻结 executor 与 editable surface。 声明可改的是 instructions、metadata、script、reference 还是 routing rule;candidate 不能改 evaluator、credential、policy 或最终 release decision。
- 保存 change manifest。 每个 diff 记录父版本、任务/反馈来源、预测收益、可能回归、权限变化、依赖变化、token/compute 与审查状态。
- 开发与接纳分离。 所有候选、失败和 rejected edit 留在 development trace;acceptance runner 在 candidate 无写权限的 held-out task、regression suite 与安全任务上执行。
- 把成本与触发准确率也算进来。 一个 skill 如果提升 outcome 却误触发、占用大量 context、调用更宽权限或显著增加成本,不能只按 pass rate 接纳。
- 发布可回退版本。 将 accepted version、范围、expiry、artifact hash 与撤销机制绑定;发现回归后按 manifest 回到上一个已接纳版本。
| 需要验证的命题 | 最小对照 | 推翻条件 |
|---|---|---|
| curated skill 有用 | no-skill、同 executor/harness/task/budget | 未见 task 没有 outcome 提升,或成本抵消收益 |
| 自动 skill revision 有用 | one-shot/self-feedback 与 held-out-gated revision | 只在开发模板或相同 generator 上提升 |
| lifecycle curation 有用 | 固定 library、memory-only、curator 版本 | 更新造成遗忘、误触发或无净效率收益 |
| cross-environment transfer 存在 | 新 harness、tool schema 或任务规则的隔离 holdout | 一换环境/执行器收益消失 |
| 安全发布可行 | signed/pinned review 与宽权限/未审查 baseline | script、依赖或 prompt 注入绕过权限/验收 |
这恰好形成 RSIBench 的一个干净起点:不是让 candidate 随意重写自己,而是让它对一个受限、外部、可回退的 skill surface 提议变更,并用独立 acceptance 判断是否值得保留。
5. 供应链与运行时安全:Skill 是代码和指令的混合物
skill package 可以携带可执行 scripts、引用内容、触发描述和依赖,因而同时具有 package supply chain 与 prompt-injection 风险。Agent Skills in the Wild 在其收集的 marketplace corpus 与检测方法中报告了 prompt injection、数据外泄、权限提升与供应链风险;样本、检测器和 marketplace 范围意味着它不是整个 ecosystem 的无条件 prevalence estimate,但足以说明“安装一个 skill”不是中性的文本加载。Towards Secure Agent Skills 将 attack surface 分到 creation、distribution、deployment 与 execution 生命周期,进一步提醒 single approval 的持久信任不是足够控制。
每个 skill 至少应有:可追溯来源与 license、内容/脚本/dependency hash、静态与语义审查、隔离的 script execution、默认最小网络/文件/credential 权限、对 reference 和 tool output 的不可信标签、版本 pinning、撤销清单和安装后 adversarial test。对于浏览器与 computer-use skill,截图或成功 toast 不能代替后端 postcondition;对于 code skill,tests 也不能代替依赖、secret 和 egress 审计。
6. 与合成实例和基础模型训练怎样正确连接
skill 能既是训练数据的来源,也能是训练后 policy 使用的外部状态,但这两条路径必须分开:
| 研究路径 | 允许学习什么 | 必须隔离什么 |
|---|---|---|
| Skill retrieval / curation | 何时选择、组合、退役哪一个固定 skill | final task、hidden verifier、敏感 credentials、评价答案 |
| Skill revision | 受限 diff 如何由执行反馈改进 | acceptance suite、release control、evaluator 与 policy |
| SFT from skill traces | 对已验证 action/observation 轨迹的模仿 | evaluation workflow、successful hidden traces、generator/template leakage |
| RL with skills | 在固定 skill/action/authority surface 下的 outcome optimization | reward shortcut、可写 verifier、训练任务到最终任务的环境/规则重叠 |
| Foundation-model update | 固定数据/环境/预算下的参数变化 | 把外部 library 更新误报成 model ability 提升 |
ACuRL 将 target-environment exploration、curriculum generation 和持续适应相连,是环境经验可成为训练信号的具体例子。它不免除 generator、训练、验证与最终评测的分离。任何“skill 帮助基础模型训练”的正向结果都应固定 base model、harness、library snapshot、tool policy 和总 budget,对比 no-skill、curated fixed skill、revision-only、SFT-only、RL-only 与 SFT+RL,并在按 environment、workflow/rule、skill topology 和 security family 隔离的 holdout 上验收。
7. 它如何回到五条核心研究线
| 核心线 | Agent Skills 新增的可测对象 | 不能替代什么 |
|---|---|---|
| RSI / OpenRSI | 受限的 skill/harness edit、跨代 accepted/rejected buffer、rollback | 改进改进者的独立多代 held-out 证据 |
| Auto Research / ART | 研究 workflow skill、引用/脚本/实验工件的版本化谱系 | 因果结论、复现与同行评审 |
| Long horizon | 长期 library state、activation、expiry、revocation 与 checkpoint | 任务状态重建、计划与故障恢复本身 |
| Environment / ClawBench V2 | skill 的 tool authority、scripts、untrusted resources 与 sidecar evidence | 一个 skill format 或一条 guard 自动提供隔离 |
| Synthetic training / Agentic RL | skill-aware instance、revision trace、trigger/authority action 与 transfer split | 证明训练结果跨未见环境泛化 |
这篇文章与RSI中的受限自改协议互补:RSI 说明何时可以谈“改进改进者”;本文定义一个更小、可操作的外部 skill 工件。它也接到合成实例与 Agent 训练、Agent Tool Governance、Long-horizon agents和Agent 热门方向地图。
Primary References
- Agent Skills specification, client implementation, and skill evaluation guidance.
- SkillsBench, SkillLearnBench, and Agent Skill Evaluation and Evolution (preprints).
- SkillOpt, SkillOS, MUSE-Autoskill, and ACuRL (preprints).
- Agent Skills in the Wild and Towards Secure Agent Skills (preprints), plus companion notes on RSI, synthetic training, and tool governance.
Agent Skills: From SKILL.md to Governed Continual Learning and Independent Acceptance
Agent skills let procedural knowledge, scripts, templates, and tool recipes be discovered, loaded, and modified outside model weights. That is useful, and easy to overstate: a better skill does not mean the model improved itself; a successful self-edit does not mean recursive self-improvement. The right research object is an external-artifact lifecycle with provenance, authority, testing, rollback, and an independent acceptance gate.
skill format != skill selection != skill execution != skill learning != skill acceptance. Separating these five layers tells us whether a gain comes from content, activation, harness, environment, evaluator, or only local fitting on a shared development set.
1. A Skill Is an External Capability Package, Not Model Weights
The Agent Skills specification defines a skill as a directory containing at least SKILL.md, optionally with scripts, references, and assets. Its basic runtime is progressive disclosure: name and description at startup, the instruction body after a task matches, then resources on demand. This supplies a portable, versionable interface. The format itself does not ensure correct selection, safe scripts, correct output, or transfer across agents and harnesses.
| Object | Appropriate description | What it must not be called |
|---|---|---|
SKILL.md instructions and metadata |
External, loadable procedural knowledge | A base-model weight update |
| Script / reference / asset | Executable dependency or resource of a skill | Already sandboxed or security-reviewed |
| Activation description | Retrieval/routing signal for choosing a skill | Correct task classification or an authority grant |
| Skill revision | Bounded optimization of an external artifact | Executor or evaluator self-improvement |
| Skill library | Version set available to an agent | Proof of unseen-task transfer |
Thus “the agent learned a skill” can mean four different things: a fixed skill was loaded and helped a task; an agent distilled a new skill from trajectories; a curator updated a skill repository; or a base model changed its parameters through SFT/RL. Report each separately rather than merging them into one skill success metric.
2. Turn a Format into a Lifecycle, Not Merely a Folder
An auditable skill needs a closed loop from provenance to retirement.
| Lifecycle stage | Minimum record | Independent question |
|---|---|---|
| Source / admission | Author, license, source digest, dependencies, review, risk level | Who supplied it, and can its content or scripts be verified, reproduced, and deployed? |
| Catalog / selection | Name, description, version, applicable distribution, activation decision | Did a task match it, or did it misfire or fail to fire? |
| Execution | Input/output, tool/capability grant, resource digest, trace, side effect | What did it actually do, and did it exceed declared authority? |
| Evaluation | Task outcome, verifier, regressions, cost, failures, adversarial controls | Did it help unseen work, or only reuse a development template? |
| Revision | Editable surface, diff, predicted gain/risk, rejected edits, budget | What changed, and is there an interpretable counterfactual and rollback? |
| Release / retirement | Acceptance hash, target scope, expiry, revoke/rollback | Who accepted it, when does it expire, and how is use stopped after failure? |
The format’s optional allowed-tools field is a useful declaration, but the specification calls it experimental and client support varies. A runtime host cannot treat YAML as an actual permission system: every call still needs the capability grant, parameter checks, sandbox, and independent postcondition in tool governance.
3. What Existing Evidence Shows, and What It Does Not
SkillsBench compares no skill, curated skills, and self-generated skills on multi-domain tasks with deterministic verifiers. It supports the claim that some carefully constructed external skills can help specified agent-task configurations, while reporting substantial task variation and some negative effects; its self-generated skills do not automatically outperform the no-skill condition on average. SkillLearnBench studies continual skill generation. In its real-task taxonomy, no method leads consistently across every task and LLM, and it observes recursive drift from self-feedback alone.
SkillOpt treats a skill as text-space state outside a frozen executor, using bounded add/delete/replace edits, a rejected-edit buffer, and strict held-out validation for controlled optimization. It is important preprint evidence that a skill artifact can be trained like an optimization object. SkillOS separates a frozen executor from a trainable curator whose repository updates draw on cross-task experience. MUSE-Autoskill organizes creation, memory, management, evaluation, and refinement as a lifecycle. These works propose and evaluate systems in their stated settings; they do not imply that an arbitrary self-evolving library improves continually, transfers across environments, or constitutes strong RSI.
4. Accept a Skill Edit with the Discipline of a Code Change
When an agent may write or modify a skill, the minimum useful protocol is not “run it a few times and save it if the score goes up.” Use this controlled path instead:
- Freeze executor and editable surface. State whether instructions, metadata, script, reference, or routing rule can change; the candidate cannot change evaluator, credentials, policy, or final release decision.
- Retain a change manifest. Every diff records parent version, task/feedback sources, predicted gain, possible regressions, authority/dependency change, token/compute use, and review state.
- Separate development from acceptance. Candidates, failures, and rejected edits remain in the development trace. A non-writable acceptance runner executes held-out tasks, regressions, and security tests.
- Count cost and triggering quality. A skill that lifts outcome while misfiring, consuming excessive context, widening authority, or raising cost cannot be accepted by pass rate alone.
- Release a rollback-capable version. Bind accepted version, scope, expiry, artifact hash, and revocation. A regression returns to the prior accepted version through its manifest.
| Claim to test | Minimum control | Falsifier |
|---|---|---|
| A curated skill helps | No skill under the same executor/harness/task/budget | No unseen-task outcome gain, or cost erases the benefit |
| Automatic revision helps | One-shot/self-feedback versus held-out-gated revision | Gain occurs only on development templates or the same generator |
| Lifecycle curation helps | Fixed library, memory-only, and curator variants | Updates cause forgetting, misfires, or no net efficiency benefit |
| Cross-environment transfer exists | Held-out harness, tool schema, or task rule | Benefit disappears after changing environment or executor |
| Safe release is feasible | Signed/pinned review versus broad/unreviewed authority baseline | Script, dependency, or prompt injection bypasses authority or acceptance |
This gives RSIBench a clean starting point: not a candidate freely rewriting itself, but a candidate proposing changes to a restricted, external, rollback-capable skill surface whose retention is decided by independent acceptance.
5. Supply Chain and Runtime Security: A Skill Mixes Code and Instructions
A skill package can carry scripts, reference content, triggering descriptions, and dependencies, creating both package-supply-chain and prompt-injection risks. Agent Skills in the Wild reports prompt injection, data exfiltration, privilege escalation, and supply-chain risk in its collected marketplace corpus and detection setup. Its sample, detector, and marketplace scope are not an unconditional prevalence estimate for the full ecosystem, but they show that installing a skill is not neutral text loading. Towards Secure Agent Skills divides the attack surface across creation, distribution, deployment, and execution, further warning that single-approval persistent trust is not enough control.
Every skill should at least have traceable provenance and license; content/script/dependency hashes; static and semantic review; isolated script execution; minimum default network/file/credential authority; untrusted labels on references and tool output; version pinning; revocation; and a post-install adversarial test. For browser and computer-use skills, a screenshot or success toast cannot replace a backend postcondition. For coding skills, tests do not replace dependency, secret, and egress audit.
6. Connect It Correctly to Synthetic Instances and Foundation-Model Training
A skill can be both a source of training data and external state used by a post-trained policy, but those paths must stay separate.
| Research path | What may be learned | What must stay isolated |
|---|---|---|
| Skill retrieval / curation | When to select, compose, or retire fixed skills | Final tasks, hidden verifier, sensitive credentials, evaluation answers |
| Skill revision | How bounded diffs improve from execution feedback | Acceptance suite, release control, evaluator, and policy |
| SFT from skill traces | Imitation of verified action/observation trajectories | Evaluation workflow, successful hidden traces, generator/template leakage |
| RL with skills | Outcome optimization under fixed skill/action/authority surface | Reward shortcut, writable verifier, environment/rule overlap from training to final tasks |
| Foundation-model update | Parameter change under fixed data/environment/budget | Misreporting an external-library update as model-ability gain |
ACuRL connects target-environment exploration, curriculum generation, and continual adaptation, offering a concrete case where environment experience becomes a training signal. It does not remove the need to separate generator, training, validation, and final evaluation. Any positive claim that skills help foundation-model training should fix the base model, harness, library snapshot, tool policy, and total budget; compare no-skill, curated fixed skill, revision-only, SFT-only, RL-only, and SFT+RL; then accept on holdouts separated by environment, workflow/rule, skill topology, and security family.
7. How It Returns to the Core Five
| Core thread | Measurable object added by agent skills | What it cannot replace |
|---|---|---|
| RSI / OpenRSI | Restricted skill/harness edits, cross-generation accepted/rejected buffer, rollback | Independent multi-generation held-out evidence for improving the improver |
| Auto Research / ART | Versioned lineage for research-workflow skills, citations, scripts, and experiment artifacts | Causal conclusion, reproduction, and peer review |
| Long horizon | Persistent library state, activation, expiry, revocation, and checkpoints | Task-state reconstruction, planning, and fault recovery themselves |
| Environment / ClawBench V2 | Tool authority, scripts, untrusted resources, and sidecar evidence for a skill | A format or one guard automatically supplying isolation |
| Synthetic training / Agentic RL | Skill-aware instances, revision traces, trigger/authority actions, and transfer splits | Proof that training results generalize across unseen environments |
This article complements the bounded self-modification protocol in RSI: RSI says when we may discuss improving the improver, while this note defines a smaller operational external skill artifact. It also connects to synthetic agent training, Agent Tool Governance, long-horizon agents, and Hot Agent Directions.
Primary References
- Agent Skills specification, client implementation, and skill evaluation guidance.
- SkillsBench, SkillLearnBench, and Agent Skill Evaluation and Evolution (preprints).
- SkillOpt, SkillOS, MUSE-Autoskill, and ACuRL (preprints).
- Agent Skills in the Wild and Towards Secure Agent Skills (preprints), plus companion notes on RSI, synthetic training, and tool governance.