Agent skill review checklist
Review an agent skill before you enable it
An agent skill can improve a recurring task, add instructions and tool use without helping, or create access your team did not intend. This checklist gives a technical lead one bounded decision: approve, limit, hold, or disable one skill for one task, model, host, and permission set.
Start with a representative task your team already understands. Inspect the package before it loads, run the task with and without the skill under the same conditions, compare correctness before cost, and record where the approval ends.
This checklist supports an engineering review. It does not certify a skill as secure, correct, or suitable for every model, repository, or task.
Make one activation decision at a time
Write down the exact combination under review: skill name and revision, recurring task, model and version, agent host and version, repository state, and permissions. A result from another model or a broad label such as “code review” is not the same decision.
Microsoft’s July 14, 2026 Visual Studio announcement says its built-in .NET and Azure skills are off by default while Microsoft evaluates effectiveness and cost. The company also links to a public evaluation dashboard that compares work with and without skill plugins. That is useful project evidence, but it does not replace a test against your repository, acceptance criteria, permissions, and review burden.
The approval options are deliberately narrow:
- Approve
- enable the named revision for the recorded scope.
- Limit
- allow it only for specified users, repositories, tasks, or manual invocation while evidence develops.
- Hold
- do not load it until an open security, quality, or measurement question is resolved.
- Disable
- remove an active skill because a recorded stop condition has occurred.
Inspect the package before the agent loads it
The Agent Skills specification defines a skill as a directory with a required SKILL.md file and optional scripts, references, assets, and other files. Review the whole directory, not only the visible instructions. Record the maintainer and revision, then inspect any script, command, network request, secret access, permission request, encoded content, or persistence behavior.
A static scan can help find known patterns, but a clean scan is one security signal. It does not show that the skill will improve your task or stay inside the intended access boundary at runtime. The SkillsGuard security guide explains the deeper pre-load review, including scripts, network and secret reach, encoded content, persistence, suppressions, and re-scan dates. Use the AI workflow security review worksheet when the surrounding workflow also needs a full data, credential, approval, retention, and rollback review.
Hold the activation if the package contains an unexplained file, unread encoded content, broader permissions than the task requires, or a finding no reviewer owns. Testing usefulness does not clear a security finding.
Run the same representative task with and without the skill
Choose a task the skill is expected to improve and define success before running it. Use the same prompt, input files, repository commit and working state, model, agent host, permissions, tool availability, limits, and acceptance checks for both runs. Start each run with a fresh context so earlier work does not influence the comparison.
The Agent Skills project’s evaluation guidance recommends a with-skill and without-skill baseline, realistic prompts, clean contexts, observable assertions, human review, and timing data. If you are reviewing a new revision of an existing skill, compare the new revision with the approved revision as well as the no-skill baseline when that distinction affects the decision.
Run enough repetitions to expose inconsistent behavior when the task has meaningful variability. Do not choose a sample size only because one run produced the preferred result. For a broader model or workflow evaluation, use the AI model bake-off guide to check whether the harness, tool schema, budgets, fixtures, and adapter assumptions treat both conditions fairly.
Compare correctness and regressions before operating cost
Review the produced files, tests, citations, commands, and tool traces. Record whether each run completed the task correctly, introduced regressions, stayed within the requested scope, and needed reviewer edits. A polished explanation is not evidence that the code, configuration, or artifact works.
Then compare the operating evidence your host exposes: input and output tokens, total tokens, tool calls, elapsed time, retries, timeouts, and metered cost. Keep unavailable fields blank rather than estimating them. More tool calls or tokens may be justified by a material quality gain, but the reviewer should be able to name the gain.
The public .NET Skills evaluation dashboard tracks quality with and without skills alongside token usage, model, timeouts, and overfitting signals. In maintainer issue #886, the project reports different outcomes across model families, added tool-call overhead, and rubric overfitting risk for analyzing-dotnet-performance. Treat those results as evidence about that project’s tests, not as a benchmark for your skill or workload.
Use the Model Facts Register when the decision depends on provider, model version, region, quota, pricing, retention, SDK behavior, or a fallback path that can change after approval.
Limit where approval applies and define when it expires
An approval should name the users, repositories, tasks, environments, and invocation mode covered by the evidence. Specify whether the skill may load automatically or only when a developer selects it. If it can call another agent or service, use the Agent Access Matrix to name allowed callers, scopes, operations, credentials, logs, limits, and the person who can close the path.
Assign an owner and an expiry or retest trigger. Common triggers include a skill revision, maintainer change, model or host update, permission change, repository policy change, new bundled script, quality regression, unexpected tool use, or cost above the recorded ceiling.
Write the deactivation condition as an observable result. Examples of condition shape include “disable if required tests regress,” “return to manual invocation after an unexplained network call,” or “retest before using a new model version.” These are examples of wording, not recommended thresholds; the team must set the actual condition for its task.
| Review area | Without skill | With skill | Decision |
|---|---|---|---|
| Correct result and required tests | |||
| Regressions or work outside scope | |||
| Reviewer edits or rework | |||
| Tokens and metered cost exposed by the host | |||
| Tool calls, retries, timeouts, and elapsed time | |||
| Unexpected access or behavior |
Compare the two runs and record the decision
Correct result and required tests
- Without skill
- With skill
- Decision
Regressions or work outside scope
- Without skill
- With skill
- Decision
Reviewer edits or rework
- Without skill
- With skill
- Decision
Tokens and metered cost exposed by the host
- Without skill
- With skill
- Decision
Tool calls, retries, timeouts, and elapsed time
- Without skill
- With skill
- Decision
Unexpected access or behavior
- Without skill
- With skill
- Decision
Activation ownership boundary
- Owner
- Approved scope
- Retest trigger
- Disable when
Choose approve, limit, hold, or disable, then state the evidence that supports the decision. A blank security finding, missing baseline, unknown owner, or undefined deactivation condition is a reason to hold, not a reason to assume the vendor default is safe.
Blank template — complete this for one skill and one recurring task.
Agent skill activation checklist
Review identity
- Skill name
- Skill source / maintainer
- Skill revision or commit
- Recurring task under review
- Repository and commit / clean starting state
- Model and version
- Agent host and version
- Permissions and tools available
- Review owner
- Review date
1. Package inspection
- Reviewed SKILL.md and every bundled file
- Reviewed scripts and shell / runtime commands
- Recorded network destinations and external instruction sources
- Recorded secret, credential, environment-variable, and private-file access
- Checked requested permissions against the task
- Decoded and reviewed encoded or obfuscated content
- Checked startup changes, persistence, hooks, and configuration writes
- Recorded static-scan results and every suppression
- Open security findings
- Finding owner and resolution
- Package decision: pass / hold
2. Fair comparison
- Representative prompt / task
- Expected result
- Required tests or assertions
- Input files / fixture
- Run count
- Same repository state confirmed: yes / no
- Same model and host confirmed: yes / no
- Same permissions, tools, limits, and prompt confirmed: yes / no
- Fresh context for each run confirmed: yes / no
- Evidence locations for outputs, tests, and traces
3. Result quality
| Measure | Without skill | With skill |
|---|---|---|
| Correct result / acceptance checks | ||
| Tests passed and regressions | ||
| Work outside requested scope | ||
| Reviewer edits / rework | ||
| Repeatability across runs | ||
| Unexpected behavior |
Correct result / acceptance checks
- Without skill
- With skill
Tests passed and regressions
- Without skill
- With skill
Work outside requested scope
- Without skill
- With skill
Reviewer edits / rework
- Without skill
- With skill
Repeatability across runs
- Without skill
- With skill
Unexpected behavior
- Without skill
- With skill
4. Operating cost
| Measure | Without skill | With skill |
|---|---|---|
| Input / output / total tokens, as exposed | ||
| Tool calls | ||
| Retries / timeouts | ||
| Elapsed time | ||
| Metered cost, as exposed |
Input / output / total tokens, as exposed
- Without skill
- With skill
Tool calls
- Without skill
- With skill
Retries / timeouts
- Without skill
- With skill
Elapsed time
- Without skill
- With skill
Metered cost, as exposed
- Without skill
- With skill
- Quality gain that justifies added cost, if any
- Unknown or unavailable cost fields
5. Activation boundary
- Approved users / teams
- Approved repositories / environments
- Approved tasks
- Invocation mode: automatic / manual only / disabled
- Access, tools, and permissions allowed
- Activation owner
- Expiry date or review cadence
- Retest triggers
- Deactivation condition
- Disable owner and mechanism
Final decision
- Final decision: approve / limit / hold / disable
- Decision reason
- Evidence links
- Reviewer
- Approval date
Source links
- Microsoft Visual Studio announcement, July 14, 2026
- Agent Skills specification and evaluation guidance
- .NET skills repository and evaluation dashboard
- Maintainer issue #886 for the named performance-analysis skill
Need help designing the comparison?
BaristaLabs can help a team turn one recurring development task into a fair skill evaluation: package review, acceptance checks, with-and-without runs, tool and token evidence, activation scope, and a deactivation trigger. See AI-Assisted Website Development for maintainable AI-assisted delivery, or review one agent skill setup when you already have a skill and task to assess.
Review one agent skill setupBring one skill revision, one representative task, and the acceptance checks your reviewer already uses.