Prevent Agent From Bypassing Skills or MCP Tools in Claude SDK Workflow #544
Description
I am building a GIS agent using claude_agent_sdk.ClaudeSDKClient from Anthropic.
I have implemented a measure-distance skill that internally invokes an MCP tool named mcp__measurement__distance. My intended execution workflow is:
User → Agent → Skill → MCP Tool → Skill → Agent → User
Intended Architecture
The system is designed to work as follows:
┌─────────────┐
│ User │
└──────┬──────┘
│ request
▼
┌─────────────┐
│ Agent │ ← Identify matching skill
└──────┬──────┘
│ activate skill
▼
┌─────────────┐
│ Skill │ ← Skill handles MCP tool invocation
└──────┬──────┘
│ calls MCP tool internally
▼
┌─────────────┐
│ MCP Tool │ ← Performs actual operation
└──────┬──────┘
│ returns data
▼
┌─────────────┐
│ Skill │ ← Formats response
└──────┬──────┘
│ returns JSON
▼
┌─────────────┐
│ Agent │ ← Present result to user
└──────┬──────┘
│
▼
┌─────────────┐
│ User │
└─────────────┘
Problem
In practice, I am encountering two undesirable behaviors:
Call client.query("Distance from the east wall of selected building to the nearest building")
- The agent sometimes calls the MCP tool directly, bypassing the skill layer.
- The skill sometimes returns a response without calling the MCP tool, even when the tool is required.
These behaviors break the intended architecture and make it difficult to enforce consistent execution logic.
Question
How can I prevent the agent from directly invoking MCP tools and ensure that skills always call the appropriate MCP tools before responding?
Specifically:
- Is there a recommended way to restrict MCP tool access so that tools can only be invoked from within skills?
- Are there best practices for enforcing mandatory MCP tool invocation inside a skill?
- Can this behavior be controlled through prompt design, SDK configuration, or architectural patterns?
Any guidance, best practices, or examples would be greatly appreciated. Thank you!