feat(skills): added skills to agent block (#3149)

* feat(skills): added skills to agent block

* improvement(skills): audit fixes, docs, icon, and UX polish

* fix(skills): consolidate redundant permission checks in POST and DELETE

* more friendly error for duplicate skills in the same workspace

* fix(executor):  loop sentinel-end wrongly queued (#3148)

* fix(executor):  loop sentinel-end wrongly queued

* fix nested subflow error highlighting

* fix(linear): align tool outputs, queries, and pagination with API (#3150)

* fix(linear): align tool outputs, queries, and pagination with API

* fix(linear): coerce first param to number, remove duplicate conditions, add null guard

* fix(resolver): response format and evaluator metrics in deactivated branch (#3152)

* fix(resolver): response format in deactivated branch

* add evaluator metrics too

* add child workflow id to the workflow block outputs

* cleanup typing

* feat(slack): add file attachment support to slack webhook trigger (#3151)

* feat(slack): add file attachment support to slack webhook trigger

* additional file handling

* lint

* ack comment

* fix(skills): hide skill selection when disabled, remove dead code

---------

Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com>

Author: waleedlatif1

apps/docs/content/docs/en/meta.json

@@ -10,6 +10,7 @@
     "connections",
     "mcp",
     "copilot",
+    "skills",
     "knowledgebase",
     "variables",
     "execution",

apps/docs/content/docs/en/skills/index.mdx

@@ -0,0 +1,83 @@
+---
+title: Agent Skills
+---
+
+import { Callout } from 'fumadocs-ui/components/callout'
+
+Agent Skills are reusable packages of instructions that give your AI agents specialized capabilities. Based on the open [Agent Skills](https://agentskills.io) format, skills let you capture domain expertise, workflows, and best practices that agents can load on demand.
+
+## How Skills Work
+
+Skills use **progressive disclosure** to keep agent context lean:
+
+1. **Discovery** — Only skill names and descriptions are included in the agent's system prompt (~50-100 tokens each)
+2. **Activation** — When the agent decides a skill is relevant, it calls the `load_skill` tool to load the full instructions into context
+3. **Execution** — The agent follows the loaded instructions to complete the task
+
+This means you can attach many skills to an agent without bloating its context window. The agent only loads what it needs.
+
+## Creating Skills
+
+Go to **Settings** (gear icon) and select **Skills** under the Tools section.
+
+Click **Add** to create a new skill with three fields:
+
+| Field | Description |
+|-------|-------------|
+| **Name** | A kebab-case identifier (e.g. `sql-expert`, `code-reviewer`). Max 64 characters. |
+| **Description** | A short explanation of what the skill does and when to use it. This is what the agent reads to decide whether to activate the skill. Max 1024 characters. |
+| **Content** | The full skill instructions in markdown. This is loaded when the agent activates the skill. |
+
+<Callout type="info">
+  The description is critical — it's the only thing the agent sees before deciding to load a skill. Be specific about when and why the skill should be used.
+</Callout>
+
+### Writing Good Skill Content
+
+Skill content follows the same conventions as [SKILL.md files](https://agentskills.io/specification):
+
+```markdown
+# SQL Expert
+
+## When to use this skill
+Use when the user asks you to write, optimize, or debug SQL queries.
+
+## Instructions
+1. Always ask which database engine (PostgreSQL, MySQL, SQLite)
+2. Use CTEs over subqueries for readability
+3. Add index recommendations when relevant
+4. Explain query plans for optimization requests
+
+## Common Patterns
+...
+```
+
+## Adding Skills to an Agent
+
+Open any **Agent** block and find the **Skills** dropdown below the tools section. Select the skills you want the agent to have access to.
+
+Selected skills appear as chips that you can click to edit or remove.
+
+### What Happens at Runtime
+
+When the workflow runs:
+
+1. The agent's system prompt includes an `<available_skills>` section listing each skill's name and description
+2. A `load_skill` tool is automatically added to the agent's available tools
+3. When the agent determines a skill is relevant to the current task, it calls `load_skill` with the skill name
+4. The full skill content is returned as a tool response, giving the agent detailed instructions
+
+This works across all supported LLM providers — the `load_skill` tool uses standard tool-calling, so no provider-specific configuration is needed.
+
+## Tips
+
+- **Keep descriptions actionable** — Instead of "Helps with SQL", write "Write optimized SQL queries for PostgreSQL, MySQL, and SQLite, including index recommendations and query plan analysis"
+- **One skill per domain** — A focused `sql-expert` skill works better than a broad `database-everything` skill
+- **Use markdown structure** — Headers, lists, and code blocks help the agent parse and follow instructions
+- **Test iteratively** — Run your workflow and check if the agent activates the skill when expected
+
+## Learn More
+
+- [Agent Skills specification](https://agentskills.io) — The open format for portable agent skills
+- [Example skills](https://github.com/anthropics/skills) — Browse community skill examples
+- [Best practices](https://agentskills.io/what-are-skills) — Writing effective skills

apps/sim/app/api/permission-groups/[id]/route.ts

@@ -24,6 +24,7 @@ const configSchema = z.object({
   hideFilesTab: z.boolean().optional(),
   disableMcpTools: z.boolean().optional(),
   disableCustomTools: z.boolean().optional(),
+  disableSkills: z.boolean().optional(),
   hideTemplates: z.boolean().optional(),
   disableInvitations: z.boolean().optional(),
   hideDeployApi: z.boolean().optional(),

apps/sim/app/api/permission-groups/route.ts

@@ -25,6 +25,7 @@ const configSchema = z.object({
   hideFilesTab: z.boolean().optional(),
   disableMcpTools: z.boolean().optional(),
   disableCustomTools: z.boolean().optional(),
+  disableSkills: z.boolean().optional(),
   hideTemplates: z.boolean().optional(),
   disableInvitations: z.boolean().optional(),
   hideDeployApi: z.boolean().optional(),

apps/sim/app/api/skills/route.ts

@@ -0,0 +1,182 @@
+import { db } from '@sim/db'
+import { skill } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, desc, eq } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { upsertSkills } from '@/lib/workflows/skills/operations'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
+
+const logger = createLogger('SkillsAPI')
+
+const SkillSchema = z.object({
+  skills: z.array(
+    z.object({
+      id: z.string().optional(),
+      name: z
+        .string()
+        .min(1, 'Skill name is required')
+        .max(64)
+        .regex(/^[a-z0-9]+(-[a-z0-9]+)*$/, 'Name must be kebab-case (e.g. my-skill)'),
+      description: z.string().min(1, 'Description is required').max(1024),
+      content: z.string().min(1, 'Content is required').max(50000, 'Content is too large'),
+    })
+  ),
+  workspaceId: z.string().optional(),
+})
+
+/** GET - Fetch all skills for a workspace */
+export async function GET(request: NextRequest) {
+  const requestId = generateRequestId()
+  const searchParams = request.nextUrl.searchParams
+  const workspaceId = searchParams.get('workspaceId')
+
+  try {
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
+    if (!authResult.success || !authResult.userId) {
+      logger.warn(`[${requestId}] Unauthorized skills access attempt`)
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const userId = authResult.userId
+
+    if (!workspaceId) {
+      logger.warn(`[${requestId}] Missing workspaceId`)
+      return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
+    }
+
+    const userPermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
+    if (!userPermission) {
+      logger.warn(`[${requestId}] User ${userId} does not have access to workspace ${workspaceId}`)
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
+    }
+
+    const result = await db
+      .select()
+      .from(skill)
+      .where(eq(skill.workspaceId, workspaceId))
+      .orderBy(desc(skill.createdAt))
+
+    return NextResponse.json({ data: result }, { status: 200 })
+  } catch (error) {
+    logger.error(`[${requestId}] Error fetching skills:`, error)
+    return NextResponse.json({ error: 'Failed to fetch skills' }, { status: 500 })
+  }
+}
+
+/** POST - Create or update skills */
+export async function POST(req: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkSessionOrInternalAuth(req, { requireWorkflowId: false })
+    if (!authResult.success || !authResult.userId) {
+      logger.warn(`[${requestId}] Unauthorized skills update attempt`)
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const userId = authResult.userId
+    const body = await req.json()
+
+    try {
+      const { skills, workspaceId } = SkillSchema.parse(body)
+
+      if (!workspaceId) {
+        logger.warn(`[${requestId}] Missing workspaceId in request body`)
+        return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
+      }
+
+      const userPermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
+      if (!userPermission || (userPermission !== 'admin' && userPermission !== 'write')) {
+        logger.warn(
+          `[${requestId}] User ${userId} does not have write permission for workspace ${workspaceId}`
+        )
+        return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
+      }
+
+      const resultSkills = await upsertSkills({
+        skills,
+        workspaceId,
+        userId,
+        requestId,
+      })
+
+      return NextResponse.json({ success: true, data: resultSkills })
+    } catch (validationError) {
+      if (validationError instanceof z.ZodError) {
+        logger.warn(`[${requestId}] Invalid skills data`, {
+          errors: validationError.errors,
+        })
+        return NextResponse.json(
+          { error: 'Invalid request data', details: validationError.errors },
+          { status: 400 }
+        )
+      }
+      if (validationError instanceof Error && validationError.message.includes('already exists')) {
+        return NextResponse.json({ error: validationError.message }, { status: 409 })
+      }
+      throw validationError
+    }
+  } catch (error) {
+    logger.error(`[${requestId}] Error updating skills`, error)
+    return NextResponse.json({ error: 'Failed to update skills' }, { status: 500 })
+  }
+}
+
+/** DELETE - Delete a skill by ID */
+export async function DELETE(request: NextRequest) {
+  const requestId = generateRequestId()
+  const searchParams = request.nextUrl.searchParams
+  const skillId = searchParams.get('id')
+  const workspaceId = searchParams.get('workspaceId')
+
+  try {
+    const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
+    if (!authResult.success || !authResult.userId) {
+      logger.warn(`[${requestId}] Unauthorized skill deletion attempt`)
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const userId = authResult.userId
+
+    if (!skillId) {
+      logger.warn(`[${requestId}] Missing skill ID for deletion`)
+      return NextResponse.json({ error: 'Skill ID is required' }, { status: 400 })
+    }
+
+    if (!workspaceId) {
+      logger.warn(`[${requestId}] Missing workspaceId for deletion`)
+      return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
+    }
+
+    const userPermission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
+    if (!userPermission || (userPermission !== 'admin' && userPermission !== 'write')) {
+      logger.warn(
+        `[${requestId}] User ${userId} does not have write permission for workspace ${workspaceId}`
+      )
+      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
+    }
+
+    const existingSkill = await db.select().from(skill).where(eq(skill.id, skillId)).limit(1)
+
+    if (existingSkill.length === 0) {
+      logger.warn(`[${requestId}] Skill not found: ${skillId}`)
+      return NextResponse.json({ error: 'Skill not found' }, { status: 404 })
+    }
+
+    if (existingSkill[0].workspaceId !== workspaceId) {
+      logger.warn(`[${requestId}] Skill ${skillId} does not belong to workspace ${workspaceId}`)
+      return NextResponse.json({ error: 'Skill not found' }, { status: 404 })
+    }
+
+    await db.delete(skill).where(and(eq(skill.id, skillId), eq(skill.workspaceId, workspaceId)))
+
+    logger.info(`[${requestId}] Deleted skill: ${skillId}`)
+    return NextResponse.json({ success: true })
+  } catch (error) {
+    logger.error(`[${requestId}] Error deleting skill:`, error)
+    return NextResponse.json({ error: 'Failed to delete skill' }, { status: 500 })
+  }
+}

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/index.ts

@@ -24,6 +24,7 @@ export { ResponseFormat } from './response/response-format'
 export { ScheduleInfo } from './schedule-info/schedule-info'
 export { SheetSelectorInput } from './sheet-selector/sheet-selector-input'
 export { ShortInput } from './short-input/short-input'
+export { SkillInput } from './skill-input/skill-input'
 export { SlackSelectorInput } from './slack-selector/slack-selector-input'
 export { SliderInput } from './slider-input/slider-input'
 export { InputFormat } from './starter/input-format'