惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Tenable Blog
MyScale Blog
MyScale Blog
罗磊的独立博客
Hugging Face - Blog
Hugging Face - Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
爱范儿
爱范儿
博客园 - 司徒正美
D
Darknet – Hacking Tools, Hacker News & Cyber Security
量子位
N
News | PayPal Newsroom
S
Secure Thoughts
酷 壳 – CoolShell
酷 壳 – CoolShell
L
LINUX DO - 热门话题
有赞技术团队
有赞技术团队
V
Visual Studio Blog
T
Tailwind CSS Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Project Zero
Project Zero
B
Blog RSS Feed
J
Java Code Geeks
Google Online Security Blog
Google Online Security Blog
Last Week in AI
Last Week in AI
Cyberwarzone
Cyberwarzone
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
小众软件
小众软件
博客园 - 【当耐特】
Latest news
Latest news
T
Threat Research - Cisco Blogs
aimingoo的专栏
aimingoo的专栏
博客园_首页
博客园 - 三生石上(FineUI控件)
Engineering at Meta
Engineering at Meta
D
Docker
Forbes - Security
Forbes - Security
Help Net Security
Help Net Security
Apple Machine Learning Research
Apple Machine Learning Research
P
Proofpoint News Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Simon Willison's Weblog
Simon Willison's Weblog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
V2EX - 技术
V2EX - 技术
N
Netflix TechBlog - Medium
The Last Watchdog
The Last Watchdog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
Threatpost
Cloudbric
Cloudbric
T
The Exploit Database - CXSecurity.com
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 叶小钗
Webroot Blog
Webroot Blog

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
What AI Tools, MCP Servers, and Skills Actually Do
Andrea Chiar · 2026-05-19 · via DEV Community

I remember being very confused when I first heard about an LLM's ability to request code execution. This feature has been called various names: tool, action, plugin, function. Now the terminology is settling on a single name: tool. However, talking to other developers and reading comments online, I see the confusion has shifted elsewhere. Some argue that, with the introduction of skills by Anthropic, MCP no longer makes sense, and others aren't convinced of the usefulness of MCP compared to direct tool calls.

The confusion is architectural. Tools, MCP servers, and skills solve different problems at different layers.

AI Tools Are the Model's Swiss Army Knife

At the most fundamental level, an AI tool is a function that a language model can decide to call. Not a metaphor for "capability" in general, but a specific, callable function with a defined input schema and a predictable output.

When a model needs information or an action it can't produce from training alone, it generates a structured call to a tool: something like "call get_customer_record with customer_id: 12345." The host application intercepts that call, runs the actual function, and returns the result to the model. The model then incorporates it and continues.

While the tool calling concept is the same across the different LLMs, each one has its own specifications to invoke tools. Check out OpenAI, Claude, or Gemini documentation for some specific examples.

Tools are what give AI its "hands." Without them, a model is impressively articulate but isolated from live data and the systems where real work happens. With them, it can search databases, call APIs, send messages, or trigger business logic in response to what a user needs.

The key property to hold onto: a tool should know how to execute one thing. It doesn't decide when to be called. That judgment belongs to the model, or in more complex systems, to something above it.

Here's what that looks like in code. Using the Anthropic SDK, you define a tool as a JSON schema: its name, a description the model uses to decide when to invoke it, and the inputs it expects:

import anthropic

client = anthropic.Anthropic()

tools = [{
   "name": "get_customer_record",
   "description": "Retrieve a customer's account details by ID",
   "input_schema": {
       "type": "object",
       "properties": {
           "customer_id": {"type": "string", "description": "The unique customer identifier"}
       },
       "required": ["customer_id"]
   }
}]

response = client.messages.create(
   model="claude-opus-4-6",
   max_tokens=1024,
   tools=tools,
   messages=[{"role": "user", "content": "Look up customer C-12345"}]
)

# When the model decides to use the tool, it returns a structured tool_use block
tool_use = response.content[0]
print(tool_use.name)   # get_customer_record
print(tool_use.input)  # {"customer_id": "C-12345"}

Enter fullscreen mode Exit fullscreen mode

A few things to notice:

  • description: This is what the model reads to decide whether to call the tool. A clear, accurate description matters more than the schema itself.
  • input_schema: The structured contract. The model generates arguments that conform to this schema when it decides to invoke the tool.
  • tool_use block: What the model provides when it wants to call a tool. Your application handles the actual execution and passes the result back in the next turn to continue the conversation.

The model never runs the function itself. It produces a structured intent. Your application does the work.

MCP Servers Are the Universal Translator

At first glance, an MCP server might look like a more elaborate way to define tools. In practice, it solves a different problem.

The Model Context Protocol (MCP) is an open standard that introduces a protocol layer between AI applications and the services they connect to. Think of it as USB-C for AI: a universal connector that lets any compliant client communicate with any compliant server, regardless of which model runs underneath.

Without MCP, every AI application builds its own integrations: a custom function schema for one client, a different one for another, yet another for whichever agent framework a team has chosen. The same capability gets re-implemented for each consumer. MCP exists to eliminate that duplication.

Here's how the architecture works:

  • MCP clients are the components that hosts (i.e., AI applications such as Claude Desktop, a VS Code extension, a custom agent, etc.) instantiate to initiate connections to servers.
  • MCP servers expose three types of primitives:
    • Tools: actions the AI can invoke.
    • Resources: data the AI can read.
    • Prompts: pre-built interaction templates.

The MCP transport layer is equally flexible. The protocol runs over standard I/O for local processes, or HTTP with Server-Sent Events for remote services, using OAuth 2.1 for authentication on remote connections.

What makes MCP structurally different from direct tool definitions is decoupling. A tool definition embedded in a model API call is tightly coupled to that application. An MCP server is portable: the same server works across any compliant client. Build a GitHub integration once, connect it everywhere.

There's also the matter of bidirectionality: an MCP server can request that the AI client sample from the language model, enabling interactions that go beyond a simple request-response pattern like an API. It's a more symmetric relationship than direct function calling, which flows strictly from model to function.

AI Skills Direct the Work

Skills occupy a different layer from tools and MCP servers entirely.

Where a tool is a capability and an MCP server is the infrastructure for exposing it, a skill is closer to a recipe: higher-level instructions that tell an AI when and how to use its available capabilities to accomplish a complex goal. A skill doesn't replace tools. It orchestrates them.

In practice, a skill combines three things:

  • System prompts: Instructions that define a persona and a set of constraints.
  • Logic/Workflows: A series of steps the model should follow.
  • Tool selection strategy: Knowing which tool to pick in a specific sequence to achieve a complex goal.

Consider a customer support scenario. Handling a refund request might involve checking the customer record, looking up the original transaction, verifying return eligibility based on policy, and then either initiating the refund or escalating to a human, as shown in the following diagram:

Diagram showing the flow for a purchase refund AI skill

Each step might invoke a different tool. The skill is the framework that defines the sequence, the conditions, and the decision points. Skills carry the domain knowledge and reasoning structure that raw tool access doesn't provide.

Anthropic formalized the skills concept for Claude Code, and the format is now an open standard gaining adoption across AI coding tools. The refund scenario above could be expressed as in the following example:

---
name: handle-refund-request
description: "Handle a refund request from the user."
---

You are a customer support agent for Acme Corp.
You have access to: `get_customer_record`, `get_transaction`,
`initiate_refund`, `escalate_to_human`.

When a user requests a refund:

1. Verify the account with `get_customer_record`
2. Retrieve the purchase details with `get_transaction`
3. If the purchase was within 30 days and its amout is less than $500, call `initiate_refund`
4. For amounts over $500, always escalate regardless of purchase date
5. If ineligible, call `escalate_to_human` and explain why
​
Never approve a refund without completing steps 1 and 2 first.

Enter fullscreen mode Exit fullscreen mode

Compare this to the tool definition from the previous section. The tool schema said nothing about when to be called, what order to follow, or what to do when an amount exceeds a threshold. The skill encodes all of that:

  • Available tools: The skill names the specific tools relevant to this task, not everything the agent has access to.
  • Sequence and conditions: Steps 1–5 define the order and the branching logic.
  • Guard rails: "Never approve without completing steps 1 and 2" is judgment the tools themselves can't encode.

The tools handle execution. The skill handles when, in what order, and under what conditions.

The distinction from tools becomes clearest at the boundary between capability and judgment. A tool knows how to execute a database query. A skill knows when a query is the right mechanism versus, say, asking a user for clarification first. That's the bridge skills provide: from what an AI can do to what it should do in a given scenario.

Key Differences at a Glance

The distinction between tools, MCP servers, and skills lies in their architectural layer, scope, and security considerations:

  • Definition and scope: A tool is a fundamental capability, defined as a single, specific callable function that the model can invoke via its API schema. Above this is the MCP server, which acts as a standardized protocol server. It exposes a collection of capabilities, including actions, data, and prompts, which are used by AI clients via the MCP protocol. The highest layer is the skill, which is not a capability but a set of instructions guiding AI behavior toward a complex goal, managing a multi-step workflow or domain reasoning through the agent's orchestration layer.
  • Coupling and portability: Another key difference is portability. Tools are tightly coupled to the application they are defined within. In contrast, MCP servers are portable, designed to work across any compliant client, making them a universal connector. Skills are specific to the particular task or domain they are designed for.
  • Security surface: Each layer presents a distinct security surface. Security for tools focuses on function-level permissions. MCP servers manage risk through protocol-level consent and capability negotiation. Skills introduce behavioral guardrails and decision boundaries, controlling the overall logic and sequence of actions to ensure appropriate conduct.

The following picture summarizes these distinctions:

Table showing the architectural layer, scope, and security considerations for AI tools, MCP servers, and skills.

The relationship is hierarchical: skills direct what to accomplish, tools do the work, and MCP servers are the infrastructure that makes tools available consistently. None of the three replaces the others.

A Security Perspective

Each layer introduces distinct security considerations, and they compound when combined.

At the tool layer, the core risk is over-permission. A tool that can read and write to a database, when the AI only needs to read, creates unnecessary exposure. Prompt injection attacks (where malicious content in retrieved data tricks a model into taking unintended actions) are most damaging when tools have broad permissions. The principle of least privilege applies here as directly as it does anywhere in security engineering.

At the MCP server layer, the attack surface expands because MCP servers are external processes, often network-accessible, and connected to by multiple clients. The risks here include:

  • Tool poisoning: A malicious or compromised server exposes functions that look legitimate but behave maliciously when called.
  • Unauthorized access: Without proper authentication, any client could invoke a server's capabilities, including sensitive ones.
  • Scope creep: Servers that expose more than intended, by design or misconfiguration, give connected clients broader access than warranted.

The MCP specification addresses this through explicit consent requirements and capability negotiation, but correct implementation is the server author's responsibility. Remote MCP servers should require OAuth 2.1-based authentication, and permissions granted to any connection should follow the least-privilege principle.

To mitigate risks in both tools and MCP servers, apply the following:

  • Strict Scoping: Never give an AI tool a "God Mode" API key. Use scoped tokens that only allow the specific actions required for that tool.
  • Human-in-the-Loop: For high-stakes tools (like making a payment or deleting data), always require an approval from the user before the application executes the model's tool call.
  • Input Validation: Treat every argument generated by an LLM as untrusted user input. Validate the types, ranges, and permissions before hitting your backend.

At the skills layer, the risks become behavioral. Skills that don't account for adversarial inputs, that allow irreversible actions without human confirmation, or that chain too many autonomous steps without a checkpoint are dangerous in a specific way. By the time someone can intervene, the damage is done.

Auth0 for AI Agents addresses several of these challenges at the identity layer. Based on standards, it provides support for user authentication, delegation patterns for acting on a user's behalf, and asynchronous authorization for scenarios where sensitive operations need human sign-off before proceeding. Auth0's MCP support, now generally available, provides OAuth 2.1-based authentication for MCP servers.

The underlying principle is familiar from traditional IAM: identity infrastructure doesn't fundamentally change because the client is an AI, but the patterns for applying it need to account for how agentic systems behave differently.

Three Layers, One System

The shift from AI as a generator to AI as an actor is real, and the architecture that supports it is becoming clearer:

  • Tools give AI a way to act on the world.
  • MCP servers give it a consistent, portable way to access those actions.
  • Skills give it the reasoning framework to act appropriately.

Each layer has its own design considerations, its own security surface, and its own place in a well-structured AI system. Understanding the distinctions is foundational to building systems that aren't just capable, but trustworthy. As the tooling matures, the teams that understand the layers will be the ones building systems they can actually reason about.

For a closer look at the vulnerabilities that emerge in agentic AI, five critical AI agent security risks is a practical next step. If you're working through identity for MCP servers specifically, the Auth0 AI documentation covers authentication, delegation, and human-in-the-loop authorization patterns.