What a built-in skill is (and is not)
- A built-in skill is an instruction artifact that influences planning and execution strategy.
- A built-in skill is not a standalone external data processor.
- External data access still depends on model calls, connectors, user files, and runtime tools that are authorized for your session.
Data handling model for built-in skills
Built-in skills may operate on:- User prompts and conversation context
- User-provided files and generated artifacts
- Connected-service data when relevant connectors are authorized
Safety boundaries and controls
- Sandbox isolation: Skill-driven code execution occurs in isolated runtime environments.
- Connector gating: Skill prompts cannot use connector actions without valid active connector auth.
- Secret controls: Secrets remain managed via runtime injection patterns and are not expected to appear in normal response payloads.
- Validation and guardrails: Tool invocation and platform-side checks constrain execution paths.
Sensitive-domain guidance
Some official skills cover regulated or high-impact topics (for example: medical, legal/privacy, or financial analysis). For those categories:- Outputs are informational and should be reviewed by qualified professionals.
- Users should validate conclusions before making legal, medical, financial, or compliance decisions.
- Organizations should define internal approval flows for high-risk outputs.
Built-in vs custom skills
| Type | Source | Security posture |
|---|---|---|
| Official built-in skills | Curated and shipped by CREAO | Governed by platform controls and release process |
| Custom skills | Installed or authored by users | Treated as user-controlled instructions; review before enabling |