--- title: "From Failure Mode to Skill Chain" description: "When an agent leaked a Slack channel ID by bypassing the scrub-and-publish skill, the fix wasn't a memory — it was wiring three skills together so the chain self-enforces." canonical_url: "https://artificialcuriositylabs.ai/posts/from-failure-mode-to-skill-chain/" md_url: "https://artificialcuriositylabs.ai/posts/from-failure-mode-to-skill-chain.md" published_at: "2026-04-21T00:00:00.000Z" tags: - "ai-native" - "agents" - "skills" - "patterns" - "build-log" --- ## TL;DR - An agent leaked a hardcoded Slack channel ID by bypassing the scrub-and-publish skill and copying a local skill file directly — the PII scan never ran because the posting skill had no awareness of the scrubbing skill. - The structural fix isn't a memory or a comment — it's a guardrail baked into the skill's own frontmatter that executes every time, making the correct flow self-enforcing. - 77% of organizations experienced at least one AI-related security incident in 2025; agentic AI is a growing vector because agents granted broad permissions can exfiltrate data at machine speed with no human intervention. - Skills that touch the same workflow must reference each other: a posting skill that can attach files needs to know about the scrubbing skill, or the agent always takes the faster unguarded path. - The pattern — catch failure → build smallest durable fix → discover adjacent gaps → weave skills together — is emergent, not planned upfront; the value is a skill system that enforces invariants across boundaries, not a flat list of independent automations. --- > *One leaked channel ID, four skills wired together, and the failure mode is structurally prevented — not remembered.* An agent leaked a Slack channel ID because it shared a skill file from its local directory instead of the scrubbed shared store. Fixing that one failure produced a four-skill chain where each skill knows about the others — and the chain now self-enforces. Here's how it happened in real time, and why the academic research says this pattern matters. --- ## The Failure I asked the agent to share a skill file in a Slack channel. The agent copied the SKILL.md from its local skills directory and uploaded it directly. The file contained a hardcoded Slack channel ID — personal context that should have been scrubbed before sharing. The scrub-and-publish skill (`share-skill`) existed. The agent didn't use it. It took the shortcut: copy local → upload. The PII scan that would have caught the channel ID never ran. ## Step 1: Catch the Failure, Build the First Fix The immediate fix was mechanical: scan the file, replace the channel ID, re-upload the clean version. But patching one file doesn't prevent the pattern from recurring. The structural fix: add a guardrail to `share-skill` itself — a pre-flight rule that says "the shared store is the clean room; local skills are never safe to share externally." Now the skill's own instructions enforce the correct flow: ``` Local skill → share-skill (scrub gate) → shared store (clean room) → external share ``` Not a memory. Not a comment. A rule baked into the skill that executes every time. The guardrail lives in the frontmatter: ```markdown --- name: share-skill description: Use when sharing any skill file externally. ALWAYS pull from the shared store — never attach a local skill directly. If the skill isn't in the store yet, run this skill to scrub and publish it first. --- # Share Skill ## Pre-flight (run before anything else) - [ ] Is the skill already in the shared store? If yes, use that version. - [ ] If not: scrub all personal context (channel IDs, aliases, internal URLs) before publishing. Use token_schema.yaml as the substitution map. ## Rule Local skill files are never safe to share externally. They may contain hardcoded personal context. The shared store is the clean room. ``` ## Step 2: Discover the Adjacent Pattern The failure didn't happen inside `share-skill` — it happened because `share-skill` was bypassed. The agent was executing a different skill (`threaded-slack-post`) to post content to Slack, and that skill had no awareness that file attachments need scrubbing. This is the pattern discovery moment: skills that touch the same workflow need to know about each other. A posting skill that can attach files needs to know about the scrubbing skill. Otherwise the agent takes whichever path is fastest — and "copy from local" is always faster than "scrub first." ## Step 3: Weave the Skills Together Three skills now reference each other. `share-skill` — the scrub gate. Added a guardrail header: "When ANY skill file needs to go outside the agent, MUST pull from the shared store. If not there, run this skill first." `post-to-feedback` — the Slack posting skill for the feedback channel. Added a file attachment guardrail: "When uploading skill files: ALWAYS pull from the shared store." `threaded-slack-post` — the general-purpose threaded posting skill. Now aware that file attachments have a provenance requirement. Each skill knows about the others. The chain self-enforces: want to post a skill to Slack? The posting skill says "pull from shared store." Skill not in the store? Triggers `share-skill` to scrub and publish first. Then the scrubbed file gets attached. No single skill owns the whole workflow. Each owns its piece and knows who to call next. ## Step 4: The Meta Test The chain was tested by using it on itself. The `threaded-slack-post` skill structured a post about the `threaded-slack-post` skill, and `share-skill` scrubbed the SKILL.md before it was attached. The post went out clean. The chain worked. --- ## What the Research Says This isn't a pattern we stumbled into — it's an emerging field. "AI Skills as the Institutional Knowledge Primitive for Agentic Software Development" ([arXiv:2603.14805](https://arxiv.org/abs/2603.14805), Mar 2026) introduces "Atomic Knowledge Units" — composable skill units that form a knowledge graph agents traverse at runtime. Their framing: "Rather than retrieving documents for interpretation, AKUs deliver action-ready specifications encoding what to do, which tools to use, what constraints to respect, and where to go next." That's what a skill chain does — each skill encodes its constraints and points to the next skill in the chain. "Agentic Skills — Beyond Tool Use in LLM Agents" ([arXiv:2602.20867](https://arxiv.org/html/2602.20867), Feb 2026) defines skills as "callable modules that package procedural knowledge with explicit applicability conditions, execution policies, termination criteria, and reusable interfaces." The key phrase: applicability conditions. Guardrails are exactly that — conditions that determine when one skill must invoke another. The PII risk is measurable. [77% of organizations experienced at least one AI-related security incident in 2025](https://witness.ai/blog/ai-data-leaks/), with agentic AI flagged as an emerging vector — agents granted broad permissions can combine and exfiltrate data at machine speed with no human intervention. [Security researchers](https://genai.owasp.org/llmrisk/llm02-insecure-output-handling/) note that the attack surface expands the moment an agent connects to business systems. A `share-skill` scrub gate is the skill-level equivalent of a middleware guardrail — the guard lives inside the workflow, not bolted on outside it. --- ## What This Pattern Looks Like ``` Catch a failure mode → Build a skill that fixes it → Discover adjacent patterns the fix doesn't cover → Weave existing skills together so they self-enforce ``` This isn't a four-step process you plan upfront. It's emergent. You catch a failure, build the smallest durable fix, then notice that the fix has edges — places where another skill should be aware of it. The weaving happens when you ask: what other skills touch this same workflow, and do they know about the rule I just created? --- ## Why This Matters Agent skills are institutional knowledge. But isolated skills are like isolated functions — they work in their own scope and break at the boundaries. The real durability comes from skills that reference each other: a posting skill that knows about the scrubbing skill, a scrubbing skill that knows about the store, a store that serves as the clean room gate. This is the difference between a skill library (a flat list of independent automations) and a skill *system* (a graph of workflows that self-enforce invariants across boundaries). One leaked channel ID. Four skills wired together. The chain catches the failure before it happens next time — not because an agent remembered, but because the skills themselves encode the rule.