Definition
Skill distillation
Skill distillation is the process of turning a finished agent session into a reusable, named skill: a model reads the transcript and extracts a structured capability — a description, a system prompt, and an allowed set of tools — so a successful one-off task becomes a repeatable behavior. It converts tribal prompt knowledge into a governed, shareable asset.
Key takeaways
- Skill distillation turns a finished agent session into a reusable named skill: description, system prompt, and allowed tools.
- It converts a successful one-off task into repeatable behavior — tribal prompt knowledge becomes a shareable asset.
- Safety requires clamping allowed tools to the real registry and treating the transcript as data, not instructions.
- Planoda's distillFromSession clamps tools to the registry, scrubs the transcript, respects the AI budget, and audits the result.
The first time an agent solves a tricky task — triaging a backlog by a nuanced rule, drafting a release note from merged work — the how-to lives only in that conversation. Distillation captures it. A summarization model reads the session transcript as data, infers the steps and intent, and emits a structured skill: what it does, the prompt that drives it, and the specific tools it needs, so the next run applies the same expertise without rediscovery.
Safety has to be designed in, because a distilled skill is also a distilled set of permissions. The allowed tools must be clamped to ones that actually exist in the registry — a model can hallucinate a tool name — and any consequential action the skill performs must still route through approval. Treating the transcript strictly as data, not as instructions to obey, also prevents a poisoned session from defining a malicious skill.
Planoda's `distillFromSession` does exactly this: it loads a tenant-scoped transcript, asks the gateway model for a structured `{ name, description, systemPrompt, allowedTools }`, clamps `allowedTools` to the real tool registry, scrubs the transcript so it's treated as data, respects the workspace AI budget, and persists through the same path as a hand-authored skill — so distilled skills inherit the full governance fan-out.
Related terms
- Agent skillAn agent skill is a reusable, named agent capability: a packaged workflow with a description, a system prompt, an allowed set of tools, and triggers that decide when it runs. Instead of re-explaining a task every time, you define the skill once and the agent applies it on demand — turning ad-hoc prompting into a library of repeatable, governed capabilities.
- AI AgentAn AI agent is a software system that uses a large language model to pursue a goal across multiple steps — reading context, choosing tools, and taking actions — rather than answering a single prompt. In a work platform, agents triage issues, draft updates, and execute multi-step tasks as autonomous teammates, bounded by the permissions and approvals their operators set.
- Tool registryA tool registry is the single, authoritative catalog of the actions an AI agent may call, with each tool's name, typed arguments, and risk classification declared in one place. It is the source of truth a governance broker consults to decide whether a call is safe to run or must be gated — so capability and destructiveness are properties of the registry, not scattered per-caller decisions.
- Agentic WorkflowAn agentic workflow is a process in which one or more AI agents carry out a multi-step task with some autonomy — planning, calling tools, and acting on results in a loop — rather than a human driving each step. The agent decides the next action toward a goal, within boundaries its operator sets, turning AI from a single-response assistant into a worker.
- Prompt InjectionPrompt injection is an attack on AI systems where malicious instructions hidden in user input or retrieved content trick a language model into ignoring its original directives — leaking data, performing unauthorized actions, or producing harmful output. Because models can't reliably separate trusted instructions from untrusted data in their context, it is a fundamental security risk for any LLM application.