Claude Agent SDK Custom Tool Authoring Capability Pack Skill
Expert Claude Agent SDK custom tool authoring capability pack for designing typed in-process tools with createSdkMcpServer, allowedTools scoping, isError handling, and privacy-safe rollout checklists aligned to official custom-tools documentation.
Open the source and read safety notes before installing.
Safety notes
- Tool descriptions and annotations are hints, not enforcement—validate destructive inputs in handlers.
- Wildcard mcp__server__* allowlists expand blast radius; prefer per-tool grants in production.
- Throwing from a handler stops the query; return isError for recoverable failures per custom-tools docs.
- In-process tools run inside your application whenever Claude calls them; gate writes explicitly.
Privacy notes
- Tool schemas, inputs, and results enter model context each turn—never embed secrets in descriptions.
- Large tool sets increase context usage; defer rarely used tools via tool search when scaling.
- Structured outputs and logs may reach host telemetry—redact customer identifiers at handler boundaries.
- External APIs invoked by handlers may log request metadata governed by vendor retention policies.
Prerequisites
- Claude Agent SDK installed for TypeScript or Python with a working query loop.
- Zod (TypeScript) or dict/JSON Schema (Python) for tool input contracts.
- Written list of side effects each custom tool may perform and who approves them.
- Staging environment to validate allowedTools, permissions, and error paths.
Schema details
- Install type
- package
- Reading time
- 9 min
- Difficulty score
- 80
- Troubleshooting
- Yes
- Breaking changes
- No
- Scope
- Source repo
- Skill type
- capability-pack
- Skill level
- expert
- Verification
- validated
- Verified at
- 2026-06-16
| Platform | Support | Install path |
|---|---|---|
| claude-code | Native | .claude/skills/<skill-name>/SKILL.md |
| codex | Native | .agents/skills/<skill-name>/SKILL.md |
| windsurf | Native | .windsurf/skills/<skill-name>/SKILL.md |
| gemini | Native | .gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md |
| cursor | Adapter | .cursor/rules/<skill-name>.mdc |
| cli | Manual | AGENTS.md or tool-specific context file |
Full copyable content
# Trigger
"Apply the Claude Agent SDK custom tool authoring capability pack for this tool set."
# Required output
1) Tool inventory with side-effect classification
2) Schema and allowedTools review findings
3) Error-handling and permission plan
4) Staging verification checklist
5) Privacy-safe rollout summaryAbout this resource
Knowledge Freshness
This capability pack is grounded in Claude Agent SDK custom-tools, overview, permissions, and skills documentation verified on 2026-06-16. SDK tool APIs and permission defaults change with releases; prefer live official docs over cached assumptions.
Retrieval Sources
- https://code.claude.com/docs/en/agent-sdk/custom-tools
- https://code.claude.com/docs/en/agent-sdk/overview
- https://code.claude.com/docs/en/agent-sdk/permissions
- https://code.claude.com/docs/en/skills
- https://code.claude.com/docs/en/features-overview
- https://github.com/anthropics/claude-code
- https://developers.google.com/search/docs/fundamentals/creating-helpful-content
Source Verification Notes
Verified against official Claude Agent SDK custom-tools documentation on 2026-06-16:
- Custom tools are defined with name, description, input schema, and async handler
using
tool()in TypeScript or@toolin Python. - Handlers return a required
contentarray plus optionalstructuredContentandisErrorfields;isError: truekeeps the agent loop alive instead of throwing. - Tools are bundled with
createSdkMcpServer/create_sdk_mcp_serveras an in-process MCP server passed toqueryviamcpServers. - Fully qualified tool names use
mcp__{server_name}__{tool_name}and must appear inallowedToolsto run without permission prompts when intended. - Annotations such as
readOnlyHintguide parallel calls but do not block writes; enforcement belongs in handler code. - Tool search documentation supports loading large tool sets on demand to reduce per-turn context cost.
Scope Note
This is a community reusable workflow skill—not an official Anthropic product.
It applies documented Agent SDK custom tool authoring steps for schema design,
registration, allowlisting, and error handling. Step-by-step tutorials live in
content/guides/; this pack provides review matrices and output contracts for
teams authoring production tool sets.
Core Workflow
- Inventory proposed tools, side effects, and external dependencies.
- Draft name, description, and typed input schema per custom-tools documentation.
- Implement handlers returning
content; useisErrorfor recoverable failures. - Wrap tools in
createSdkMcpServerwith a stable server name segment. - Map fully qualified
mcp__server__toolnames forallowedToolsreview. - Classify read-only versus write tools; align annotations with actual behavior.
- Plan tool search or deferred loading when tool count threatens context limits.
- Run staging queries validating permissions, errors, and structured outputs.
- Produce privacy-safe rollout summary for platform or security reviewers.
Capability Scope
- Custom tool schema and side-effect classification.
- In-process MCP server registration review.
- allowedTools and permission scoping checklists.
- isError and structuredContent handling plans.
- Tool search scaling notes for large catalogs.
- Privacy-safe rollout summaries.
Compatibility
Native
- Claude Code / Claude: use as an Agent Skill when authoring or reviewing Agent SDK custom tool sets before production deployment.
Manual Adaptation
- Codex, Cursor, Windsurf, Generic AGENTS: apply the checklist when evaluating in-process tool designs against public Agent SDK documentation.
Required Inputs
- Proposed tool names, descriptions, and handler responsibilities.
- Target SDK language (TypeScript or Python) and package versions.
- Permission policy for allowedTools, hooks, and human approval gates.
- Staging project or sandbox credentials for safe validation.
Production Rules
- Validate destructive inputs inside handlers; never rely on descriptions alone.
- Prefer explicit per-tool allowlists over broad wildcards in production.
- Return
isErrorinstead of throwing for expected failure modes. - Keep secrets out of schemas, descriptions, and sample tool results.
- Cap parallel write tools; use
readOnlyHintonly for genuinely read-only handlers. - Document rollback: remove server from mcpServers and shrink allowedTools.
- Require human approval before enabling write tools in autonomous workflows.
Review Matrix
| Topic | Signal | Action |
|---|---|---|
| Write tool | Mutates data or deploys | Foreground approval + narrow allowlist |
| Read-only research | No side effects | readOnlyHint + parallel OK |
| External API | Network egress | Document data sent and timeouts |
| Large tool set | Context bloat | Enable tool search deferral |
| Handler throws | Query crash | Switch to isError responses |
| Wildcard allowlist | mcp__svc__* | Replace with named tools |
Output Contract
- Tool inventory with side-effect classification.
- Schema and allowedTools review findings.
- Error-handling and permission plan.
- Staging verification checklist.
- Privacy-safe rollout summary.
Troubleshooting
Issue: Tool never invoked despite registration
Fix: Confirm mcpServers key matches server name and allowedTools lists mcp__server__tool.
Issue: Permission prompts on every call
Fix: Add intended tools to allowedTools or document deliberate prompt workflow.
Issue: Query terminates on handler failure
Fix: Return { isError: true, content: [...] } instead of throwing exceptions.
Issue: Context grows with many tools Fix: Apply tool search patterns from custom-tools docs to defer unused schemas.
Duplicate Check
Checked content/skills/, content/guides/, open PRs, and the live catalog for
Agent SDK custom tool workflows. Guides such as custom-tools-with-the-claude-agent-sdk
teach implementation steps. claude-agent-sdk-mcp-integration-capability-pack covers
MCP integration rollout, not per-tool authoring review. No skills entry provides
this reusable custom tool authoring capability pack with review matrix and output
contract.
Editorial Disclosure
Submitted as an independent source-backed HeyClaude content entry by kiannidev.
It is based on public Claude Agent SDK documentation, the public Anthropic
claude-code repository, and Google Search Central helpful-content guidance. No
paid placement, referral link, affiliate link, or vendor sponsorship is used.
Source citations
Add this badge to your README
Show that Claude Agent SDK Custom Tool Authoring Capability Pack Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/claude-agent-sdk-custom-tool-authoring-capability-pack)How it compares
Claude Agent SDK Custom Tool Authoring Capability Pack Skill side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Claude Agent SDK Custom Tool Authoring Capability Pack Skill Expert Claude Agent SDK custom tool authoring capability pack for designing typed in-process tools with createSdkMcpServer, allowedTools scoping, isError handling, and privacy-safe rollout checklists aligned to official custom-tools documentation. Open dossier | Claude Agent SDK Session Storage Capability Pack Skill Expert Claude Agent SDK session storage capability pack for designing, reviewing, and rolling out Agent SDK session storage with source-backed checklists, production rules, and privacy-safe output contracts. Open dossier | Agent Skills Enterprise Provisioning Capability Pack Skill Expert agent skills enterprise provisioning capability pack for rolling out Claude Code skills across Claude for Enterprise with scope controls, admin policy alignment, user-only versus model-invoked skills, and audit-ready docs. Open dossier | Agent Skills Retrieval Source Verification Capability Pack Skill Expert agent skills retrieval source verification capability pack for validating canonical URLs, documentation reachability, repo provenance, and duplicate source claims before publishing or submitting Claude Code skills. Open dossier |
|---|---|---|---|---|
| Trust | ||||
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Category | skills | skills | skills | skills |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | kiannidev | kiannidev | kiannidev | kiannidev |
| Added | 2026-06-16 | 2026-06-14 | 2026-06-14 | 2026-06-14 |
| Platforms | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI | Claude CodeCodexWindsurfGeminiCursorCLI |
| Source repo | — | — | — | — |
| Safety notes | ✓Tool descriptions and annotations are hints, not enforcement—validate destructive inputs in handlers. Wildcard mcp__server__* allowlists expand blast radius; prefer per-tool grants in production. Throwing from a handler stops the query; return isError for recoverable failures per custom-tools docs. In-process tools run inside your application whenever Claude calls them; gate writes explicitly. | ✓This skill plans Agent SDK session storage; it must not execute destructive changes without explicit approval. Browser, computer-use, and remote surfaces can access sensitive UI state; scope tests carefully. MCP and SDK integrations may exfiltrate data if tool scopes are too broad. The public `anthropics/claude-code` repository ships documentation links to code.claude.com for settings, security, and integration surfaces. Scheduled or autonomous workflows compound risk; cap blast radius in staging first. | ✓Model-invoked skills load descriptions at session start and can trigger side effects if not marked user-only or restricted with allowed-tools. Enterprise-wide skill rollout amplifies any destructive workflow across all provisioned users. Skills referencing external MCP servers inherit third-party data-handling risk outside Anthropic policies. Admin-managed allowlists and enterprise settings may block certain skill locations or plugin sources. This skill recommends rollout phases; it must not deploy skills org-wide without explicit admin approval. | ✓Retrieval sources must point to primary official documentation or verifiable repositories, not affiliate landing pages or unreviewed mirrors. Parked domains, empty documentation pages, and redirect chains to unrelated products fail source verification. Listing many URLs without explaining which is canonical creates reviewer ambiguity and increases duplicate risk. This skill verifies sources; it must not approve a submission whose claims cannot be substantiated by fetched evidence. |
| Privacy notes | ✓Tool schemas, inputs, and results enter model context each turn—never embed secrets in descriptions. Large tool sets increase context usage; defer rarely used tools via tool search when scaling. Structured outputs and logs may reach host telemetry—redact customer identifiers at handler boundaries. External APIs invoked by handlers may log request metadata governed by vendor retention policies. | ✓Reviews may expose integration tokens, customer metadata, and internal URLs related to Agent SDK session storage. Telemetry and analytics configs can include account emails; redact before sharing externally. Keep troubleshooting logs in internal channels unless explicitly sanitized. Third-party vendors remain outside Anthropic retention policies; document separately. | ✓Enterprise skill inventories can reveal internal team workflows, compliance processes, and repository naming conventions. Skill descriptions loaded at startup may expose sensitive operational details to every session in scope. Rollout comms should describe approved skill categories and boundaries, not full internal SKILL.md contents. | ✓Source verification logs may include internal staging URLs, private repo names, or authentication-gated docs if reviewers paste raw fetch output. Some documentation pages embed organization-specific examples that should be redacted before public issue comments. Public verification summaries should list reachability status and canonical URL choice, not full HTTP response bodies. |
| Prerequisites |
|
|
|
|
| Install | — | — | — | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.