Skip to main content

Agent skill review checklist

Review an agent skill before you enable it

An agent skill can improve a recurring task, add instructions and tool use without helping, or create access your team did not intend. This checklist gives a technical lead one bounded decision: approve, limit, hold, or disable one skill for one task, model, host, and permission set.

Start with a representative task your team already understands. Inspect the package before it loads, run the task with and without the skill under the same conditions, compare correctness before cost, and record where the approval ends.

This checklist supports an engineering review. It does not certify a skill as secure, correct, or suitable for every model, repository, or task.

Make one activation decision at a time

Write down the exact combination under review: skill name and revision, recurring task, model and version, agent host and version, repository state, and permissions. A result from another model or a broad label such as “code review” is not the same decision.

Microsoft’s July 14, 2026 Visual Studio announcement says its built-in .NET and Azure skills are off by default while Microsoft evaluates effectiveness and cost. The company also links to a public evaluation dashboard that compares work with and without skill plugins. That is useful project evidence, but it does not replace a test against your repository, acceptance criteria, permissions, and review burden.

The approval options are deliberately narrow:

Approve
enable the named revision for the recorded scope.
Limit
allow it only for specified users, repositories, tasks, or manual invocation while evidence develops.
Hold
do not load it until an open security, quality, or measurement question is resolved.
Disable
remove an active skill because a recorded stop condition has occurred.

Inspect the package before the agent loads it

The Agent Skills specification defines a skill as a directory with a required SKILL.md file and optional scripts, references, assets, and other files. Review the whole directory, not only the visible instructions. Record the maintainer and revision, then inspect any script, command, network request, secret access, permission request, encoded content, or persistence behavior.

A static scan can help find known patterns, but a clean scan is one security signal. It does not show that the skill will improve your task or stay inside the intended access boundary at runtime. The SkillsGuard security guide explains the deeper pre-load review, including scripts, network and secret reach, encoded content, persistence, suppressions, and re-scan dates. Use the AI workflow security review worksheet when the surrounding workflow also needs a full data, credential, approval, retention, and rollback review.

Hold the activation if the package contains an unexplained file, unread encoded content, broader permissions than the task requires, or a finding no reviewer owns. Testing usefulness does not clear a security finding.

Run the same representative task with and without the skill

Choose a task the skill is expected to improve and define success before running it. Use the same prompt, input files, repository commit and working state, model, agent host, permissions, tool availability, limits, and acceptance checks for both runs. Start each run with a fresh context so earlier work does not influence the comparison.

The Agent Skills project’s evaluation guidance recommends a with-skill and without-skill baseline, realistic prompts, clean contexts, observable assertions, human review, and timing data. If you are reviewing a new revision of an existing skill, compare the new revision with the approved revision as well as the no-skill baseline when that distinction affects the decision.

Run enough repetitions to expose inconsistent behavior when the task has meaningful variability. Do not choose a sample size only because one run produced the preferred result. For a broader model or workflow evaluation, use the AI model bake-off guide to check whether the harness, tool schema, budgets, fixtures, and adapter assumptions treat both conditions fairly.

Compare correctness and regressions before operating cost

Review the produced files, tests, citations, commands, and tool traces. Record whether each run completed the task correctly, introduced regressions, stayed within the requested scope, and needed reviewer edits. A polished explanation is not evidence that the code, configuration, or artifact works.

Then compare the operating evidence your host exposes: input and output tokens, total tokens, tool calls, elapsed time, retries, timeouts, and metered cost. Keep unavailable fields blank rather than estimating them. More tool calls or tokens may be justified by a material quality gain, but the reviewer should be able to name the gain.

The public .NET Skills evaluation dashboard tracks quality with and without skills alongside token usage, model, timeouts, and overfitting signals. In maintainer issue #886, the project reports different outcomes across model families, added tool-call overhead, and rubric overfitting risk for analyzing-dotnet-performance. Treat those results as evidence about that project’s tests, not as a benchmark for your skill or workload.

Use the Model Facts Register when the decision depends on provider, model version, region, quota, pricing, retention, SDK behavior, or a fallback path that can change after approval.

Limit where approval applies and define when it expires

An approval should name the users, repositories, tasks, environments, and invocation mode covered by the evidence. Specify whether the skill may load automatically or only when a developer selects it. If it can call another agent or service, use the Agent Access Matrix to name allowed callers, scopes, operations, credentials, logs, limits, and the person who can close the path.

Assign an owner and an expiry or retest trigger. Common triggers include a skill revision, maintainer change, model or host update, permission change, repository policy change, new bundled script, quality regression, unexpected tool use, or cost above the recorded ceiling.

Write the deactivation condition as an observable result. Examples of condition shape include “disable if required tests regress,” “return to manual invocation after an unexplained network call,” or “retest before using a new model version.” These are examples of wording, not recommended thresholds; the team must set the actual condition for its task.

Compare the two runs and record the decision
Review areaWithout skillWith skillDecision
Correct result and required tests
Regressions or work outside scope
Reviewer edits or rework
Tokens and metered cost exposed by the host
Tool calls, retries, timeouts, and elapsed time
Unexpected access or behavior

Compare the two runs and record the decision

Correct result and required tests

Without skill
With skill
Decision

Regressions or work outside scope

Without skill
With skill
Decision

Reviewer edits or rework

Without skill
With skill
Decision

Tokens and metered cost exposed by the host

Without skill
With skill
Decision

Tool calls, retries, timeouts, and elapsed time

Without skill
With skill
Decision

Unexpected access or behavior

Without skill
With skill
Decision

Activation ownership boundary

Owner
Approved scope
Retest trigger
Disable when

Choose approve, limit, hold, or disable, then state the evidence that supports the decision. A blank security finding, missing baseline, unknown owner, or undefined deactivation condition is a reason to hold, not a reason to assume the vendor default is safe.

Blank template — complete this for one skill and one recurring task.

Agent skill activation checklist

Review identity

Skill name
Skill source / maintainer
Skill revision or commit
Recurring task under review
Repository and commit / clean starting state
Model and version
Agent host and version
Permissions and tools available
Review owner
Review date

1. Package inspection

  • Reviewed SKILL.md and every bundled file
  • Reviewed scripts and shell / runtime commands
  • Recorded network destinations and external instruction sources
  • Recorded secret, credential, environment-variable, and private-file access
  • Checked requested permissions against the task
  • Decoded and reviewed encoded or obfuscated content
  • Checked startup changes, persistence, hooks, and configuration writes
  • Recorded static-scan results and every suppression
Open security findings
Finding owner and resolution
Package decision: pass / hold

2. Fair comparison

Representative prompt / task
Expected result
Required tests or assertions
Input files / fixture
Run count
Same repository state confirmed: yes / no
Same model and host confirmed: yes / no
Same permissions, tools, limits, and prompt confirmed: yes / no
Fresh context for each run confirmed: yes / no
Evidence locations for outputs, tests, and traces

3. Result quality

Result quality comparison
MeasureWithout skillWith skill
Correct result / acceptance checks
Tests passed and regressions
Work outside requested scope
Reviewer edits / rework
Repeatability across runs
Unexpected behavior

Correct result / acceptance checks

Without skill
With skill

Tests passed and regressions

Without skill
With skill

Work outside requested scope

Without skill
With skill

Reviewer edits / rework

Without skill
With skill

Repeatability across runs

Without skill
With skill

Unexpected behavior

Without skill
With skill

4. Operating cost

Operating cost comparison
MeasureWithout skillWith skill
Input / output / total tokens, as exposed
Tool calls
Retries / timeouts
Elapsed time
Metered cost, as exposed

Input / output / total tokens, as exposed

Without skill
With skill

Tool calls

Without skill
With skill

Retries / timeouts

Without skill
With skill

Elapsed time

Without skill
With skill

Metered cost, as exposed

Without skill
With skill
Quality gain that justifies added cost, if any
Unknown or unavailable cost fields

5. Activation boundary

Approved users / teams
Approved repositories / environments
Approved tasks
Invocation mode: automatic / manual only / disabled
Access, tools, and permissions allowed
Activation owner
Expiry date or review cadence
Retest triggers
Deactivation condition
Disable owner and mechanism

Final decision

Final decision: approve / limit / hold / disable
Decision reason
Evidence links
Reviewer
Approval date

Need help designing the comparison?

BaristaLabs can help a team turn one recurring development task into a fair skill evaluation: package review, acceptance checks, with-and-without runs, tool and token evidence, activation scope, and a deactivation trigger. See AI-Assisted Website Development for maintainable AI-assisted delivery, or review one agent skill setup when you already have a skill and task to assess.

Review one agent skill setup

Bring one skill revision, one representative task, and the acceptance checks your reviewer already uses.