Background
Skills today are primarily framed as context (instructions, workflows, reference docs) — but real-world skills often include or reference executable content (scripts, templates, automation). The question is: what's the right MCP mechanism for this?
Questions to investigate
-
Resources vs. tools for scripts: Should executable scripts associated with a skill be delivered as resources (read-only content the agent interprets and runs locally) or exposed via a dedicated tool (e.g., execute_script) that the server runs on behalf of the agent?
-
Execution environment: If the server exposes an execute_script tool, where does execution happen? Options include:
- Server-side sandbox (server manages execution environment)
- Client-side sandbox (server delivers script, client executes in a controlled environment)
- Delegated to an external execution service
-
Trust and security model: Script execution raises trust questions beyond passive skill content. What guardrails are needed?
- Should skill metadata declare that a skill includes executable content (vs. instruction-only)?
- How does the user/host consent to execution vs. just reading instructions?
- How does this interact with MCP's existing trust model (server trust)?
-
Relationship to Sampling with Tools: The "Skills via Sampling" variant (Approach 3 in the repo) proposes execute_script as a tool visible only during a sampling request. What are the tradeoffs vs. exposing it as a regular tool?
-
Scope boundary — skills vs. tools: Is script execution part of the skill itself, or is it a tool that a skill references? This connects to the broader question of whether skills are purely context/instructions or can include executable behavior.
-
Existing patterns in the wild: How do current implementations turning MCP into executable code handle this today? What can we learn from their approaches?
Acceptance Criteria
Background
Skills today are primarily framed as context (instructions, workflows, reference docs) — but real-world skills often include or reference executable content (scripts, templates, automation). The question is: what's the right MCP mechanism for this?
Questions to investigate
Resources vs. tools for scripts: Should executable scripts associated with a skill be delivered as resources (read-only content the agent interprets and runs locally) or exposed via a dedicated tool (e.g.,
execute_script) that the server runs on behalf of the agent?Execution environment: If the server exposes an
execute_scripttool, where does execution happen? Options include:Trust and security model: Script execution raises trust questions beyond passive skill content. What guardrails are needed?
Relationship to Sampling with Tools: The "Skills via Sampling" variant (Approach 3 in the repo) proposes
execute_scriptas a tool visible only during a sampling request. What are the tradeoffs vs. exposing it as a regular tool?Scope boundary — skills vs. tools: Is script execution part of the skill itself, or is it a tool that a skill references? This connects to the broader question of whether skills are purely context/instructions or can include executable behavior.
Existing patterns in the wild: How do current implementations turning MCP into executable code handle this today? What can we learn from their approaches?
Acceptance Criteria
docs/open-questions.mdor a dedicated analysis document