Artificial Curiosity Labs
Posts Tags About
Build Log Archives Search
Go back

From Failure Mode to Skill Chain

One leaked channel ID, four skills wired together, and the failure mode is structurally prevented — not remembered.

An agent leaked a Slack channel ID because it shared a skill file from its local directory instead of the scrubbed shared store. Fixing that one failure produced a four-skill chain where each skill knows about the others — and the chain now self-enforces. Here’s how it happened in real time, and why the academic research says this pattern matters.

The Failure

I asked the agent to share a skill file in a Slack channel. The agent copied the SKILL.md from its local skills directory and uploaded it directly. The file contained a hardcoded Slack channel ID — personal context that should have been scrubbed before sharing.

The scrub-and-publish skill (share-skill) existed. The agent didn’t use it. It took the shortcut: copy local → upload. The PII scan that would have caught the channel ID never ran.

Step 1: Catch the Failure, Build the First Fix

The immediate fix was mechanical: scan the file, replace the channel ID, re-upload the clean version. But patching one file doesn’t prevent the pattern from recurring.

The structural fix: add a guardrail to share-skill itself — a pre-flight rule that says “the shared store is the clean room; local skills are never safe to share externally.” Now the skill’s own instructions enforce the correct flow:

Local skill → share-skill (scrub gate) → shared store (clean room) → external share

Not a memory. Not a comment. A rule baked into the skill that executes every time. The guardrail lives in the frontmatter:

---
name: share-skill
description: Use when sharing any skill file externally. ALWAYS pull from the
  shared store — never attach a local skill directly. If the skill isn't in
  the store yet, run this skill to scrub and publish it first.
---

# Share Skill

## Pre-flight (run before anything else)

- [ ] Is the skill already in the shared store? If yes, use that version.
- [ ] If not: scrub all personal context (channel IDs, aliases, internal URLs)
  before publishing. Use token_schema.yaml as the substitution map.

## Rule

Local skill files are never safe to share externally. They may contain
hardcoded personal context. The shared store is the clean room.

Step 2: Discover the Adjacent Pattern

The failure didn’t happen inside share-skill — it happened because share-skill was bypassed. The agent was executing a different skill (threaded-slack-post) to post content to Slack, and that skill had no awareness that file attachments need scrubbing.

This is the pattern discovery moment: skills that touch the same workflow need to know about each other. A posting skill that can attach files needs to know about the scrubbing skill. Otherwise the agent takes whichever path is fastest — and “copy from local” is always faster than “scrub first.”

Step 3: Weave the Skills Together

Three skills now reference each other.

share-skill — the scrub gate. Added a guardrail header: “When ANY skill file needs to go outside the agent, MUST pull from the shared store. If not there, run this skill first.”

post-to-feedback — the Slack posting skill for the feedback channel. Added a file attachment guardrail: “When uploading skill files: ALWAYS pull from the shared store.”

threaded-slack-post — the general-purpose threaded posting skill. Now aware that file attachments have a provenance requirement.

Each skill knows about the others. The chain self-enforces: want to post a skill to Slack? The posting skill says “pull from shared store.” Skill not in the store? Triggers share-skill to scrub and publish first. Then the scrubbed file gets attached.

No single skill owns the whole workflow. Each owns its piece and knows who to call next.

Step 4: The Meta Test

The chain was tested by using it on itself. The threaded-slack-post skill structured a post about the threaded-slack-post skill, and share-skill scrubbed the SKILL.md before it was attached. The post went out clean. The chain worked.

What the Research Says

This isn’t a pattern we stumbled into — it’s an emerging field.

“AI Skills as the Institutional Knowledge Primitive for Agentic Software Development” (arXiv:2603.14805, Mar 2026) introduces “Atomic Knowledge Units” — composable skill units that form a knowledge graph agents traverse at runtime. Their framing: “Rather than retrieving documents for interpretation, AKUs deliver action-ready specifications encoding what to do, which tools to use, what constraints to respect, and where to go next.” That’s what a skill chain does — each skill encodes its constraints and points to the next skill in the chain.

“Agentic Skills — Beyond Tool Use in LLM Agents” (arXiv:2602.20867, Feb 2026) defines skills as “callable modules that package procedural knowledge with explicit applicability conditions, execution policies, termination criteria, and reusable interfaces.” The key phrase: applicability conditions. Guardrails are exactly that — conditions that determine when one skill must invoke another.

The PII risk is measurable. 77% of organizations experienced at least one AI-related security incident in 2025, with agentic AI flagged as an emerging vector — agents granted broad permissions can combine and exfiltrate data at machine speed with no human intervention. Security researchers note that the attack surface expands the moment an agent connects to business systems. A share-skill scrub gate is the skill-level equivalent of a middleware guardrail — the guard lives inside the workflow, not bolted on outside it.

What This Pattern Looks Like

Catch a failure mode
    → Build a skill that fixes it
        → Discover adjacent patterns the fix doesn't cover
            → Weave existing skills together so they self-enforce

This isn’t a four-step process you plan upfront. It’s emergent. You catch a failure, build the smallest durable fix, then notice that the fix has edges — places where another skill should be aware of it. The weaving happens when you ask: what other skills touch this same workflow, and do they know about the rule I just created?

Why This Matters

Agent skills are institutional knowledge. But isolated skills are like isolated functions — they work in their own scope and break at the boundaries. The real durability comes from skills that reference each other: a posting skill that knows about the scrubbing skill, a scrubbing skill that knows about the store, a store that serves as the clean room gate.

This is the difference between a skill library (a flat list of independent automations) and a skill system (a graph of workflows that self-enforce invariants across boundaries).

One leaked channel ID. Four skills wired together. The chain catches the failure before it happens next time — not because an agent remembered, but because the skills themselves encode the rule.

Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email

Related

Previous Post
Builder Is an Operating Mode, Not a Job Title
Next Post
Your Agent's Behavior Is Code — Start Versioning It