Loading

Skills in Elastic Agent Builder

A skill is a reusable capability pack that gives an agent specialized expertise for a particular type of task. Each skill bundles three things:

  • Instructions: domain-specific guidance written in Markdown that shapes how the agent approaches the task.
  • Tools: built-in or custom tools the agent can call while the skill is active.
  • Context: additional knowledge the skill can draw on, such as reference documents or runbooks.

This makes skills different from tools, which are discrete operations like running a query or retrieving a document. Skills sit one level higher, combining tools with the instructions and context needed to complete a workflow end to end.

Skills also differ from the agent's system prompt. The system prompt is always in context, while skills load selectively. An agent can have access to many skills without loading them all into the context window at once. You author a skill once and assign it to any agent that needs it, keeping agent configurations clean and making expertise easy to share across your team.

Skills can be invoked in three ways:

Automatic discovery (default)
The agent receives a list of available skills with their names and descriptions. Based on the user's natural language input, it automatically selects and invokes the most relevant skill. No special syntax is needed.
Slash commands
Users can explicitly invoke a skill by typing / followed by the skill name and a prompt. This is useful when you know exactly which skill you need.
Chat input showing a slash command that invokes the visualization-creation skill
Attachment-driven
When a user attaches contextual data to a message (for example, an alert from the alert flyout), the agent can automatically invoke the relevant skill based on the attachment type.

Use skills when you have domain-specific knowledge or procedures that multiple agents should follow consistently. Some examples:

  • An Elastic Security user asks about a suspicious host. The entity-analytics skill activates and guides the agent through finding the entity, analyzing its risk score, asset criticality, and behavioral history.
  • An Elastic Observability user asks why a service is slow or why an alert fired. The observability.investigation skill activates and diagnoses the issue across APM services and infrastructure.
  • An Elasticsearch user asks how to combine keyword and vector search for a product catalog. The search.hybrid-search skill activates and guides the agent through building a hybrid search solution.

Elastic Agent Builder ships with built-in skills for common task domains. The skills available depend on your solution or serverless project type: some skills are available across all deployments, while others are specific to Elasticsearch, Observability, or Elastic Security. Built-in skills are read-only and cannot be modified or deleted.

For the complete list, refer to Built-in skills reference.

You can extend the built-in catalog with your own custom skills. Custom skills are saved to your skill library, which you can manage from Manage components > Skills. Creating a skill adds it to the library, but it is not available to any agent until you add it from Customize > Skills on that agent. This separation means you can maintain a shared library of skills and choose which ones each agent has access to.

To learn how to create and manage custom skills, refer to Custom skills.

To retrieve all available skills programmatically, use the List skills API endpoint: GET /api/agent_builder/skills. For the full set of skills CRUD operations, refer to Custom skills.