Why AI agent skills need privacy—introducing PASE protocol

For months, developers have relied on AI agent skills to automate complex tasks. But a critical flaw in today’s ecosystem treats these skills like open-source blueprints anyone can steal. That’s why a new protocol, PASE, is emerging to protect proprietary AI workflows while keeping the ecosystem open.

The current model of AI skills—where every instruction lives in a plain-text file—works for community sharing but fails for businesses. Firms with refined methodologies, like law firms reviewing contracts or hospitals documenting clinical workflows, can’t publish their skills without risking their intellectual property. The result? A locked door stopping the most valuable expertise from entering the ecosystem.

The current skill ecosystem is built on an open-door model

Today, installing an AI agent skill is like downloading a recipe book. You get full access to the instructions, including every prompt, heuristic, and nuance the creator spent months perfecting. That’s ideal for open-source collaboration but a non-starter for enterprises guarding trade secrets.

Consider industries where proprietary knowledge is the core asset:

Law firms with customized contract review playbooks
Hospitals with patient documentation workflows refined over years
Financial institutions with compliance-checking frameworks
Consulting firms with research methodologies honed over decades

None of these can safely publish their skills today. The moment they do, competitors—or anyone with access—can replicate their expertise instantly. The ecosystem loses its most valuable contributors, not because they lack interest, but because the system offers no way to keep skills private.

MCP solves connection, not confidentiality

Model Context Protocol (MCP) is a powerful tool for linking AI agents to external services, databases, and APIs. It excels at answering the question: How does an agent connect to an external tool? But it doesn’t address a far more pressing concern for enterprises: How does an agent use a skill whose instructions must remain confidential?

Some large enterprises, like Atlassian, Canva, and Cloudflare, have found workarounds. They publish a thin public SKILL.md file that acts as a gateway to a private MCP server. It’s a functional hack, but it’s not standardized. Every company reinvents the wheel, creating fragmentation in authentication, discovery, and billing. Without a uniform approach, the ecosystem remains fractured.

Three missing pieces in today’s skill ecosystem

The current model lacks critical functionality that would make skills viable for enterprises:

1. Hide the recipe. There’s no standard way for a skill creator to keep their instructions private while still allowing agents to invoke the skill. Your only options are to either share the entire file or opt out of participation entirely.

2. Control the door. Once a skill is installed, there’s no built-in authentication. Anyone with the file can use it freely, with no way to restrict access to paying customers or licensed users.

Get paid. Billing isn’t part of any skill standard. If you want to monetize a skill, you’re forced to build a custom payment system outside the protocol, adding complexity and friction.

These gaps aren’t minor oversights—they’re barriers preventing enterprise adoption at scale.

Introducing PASE: Private Agent Skill Endpoint

To address these challenges, a new protocol called PASE (Private Agent Skill Endpoint) is being proposed. The core idea flips the current model on its head: instead of shipping a skill as a static file, you host it as a remote endpoint. The consumer agent calls this endpoint, authenticates, and receives the output—without ever seeing the underlying instructions.

Think of it like ordering a meal at a restaurant. The diner gets the dish, but they never get the recipe. Today’s skills are like handing out index cards with step-by-step instructions. PASE turns them into a service where only the result matters, not the process.

How a PASE manifest works

A PASE-compliant skill is defined by a lightweight manifest that separates public description from private implementation. Here’s a simplified example:

---
name: contract-redline

# Public description only
# Actual instructions hosted privately
description: >
  Reviews vendor contracts against standard corporate playbook.
  Use when reviewing any vendor agreement or SaaS contract.

endpoint:
  url: 
  protocol: pase/1.0
  authorization:
    server: 
    scopes: [skill:invoke]
---

The manifest tells agents what the skill does and where to call it, but the actual instructions remain securely on the creator’s server. This preserves intellectual property while enabling seamless integration.

Built on existing standards

PASE doesn’t invent new technology. It composes proven open standards to create a cohesive, secure framework:

SKILL.md – The existing open standard for AI agent skills, extended with an endpoint block for remote invocation.
OAuth 2.1 + PKCE – The same authentication framework used by MCP for secure, token-based access.
x402 – The Linux Foundation’s HTTP-based payment standard, enabling optional monetization of skills.
JSON-RPC 2.0 over HTTPS – The transport layer used by MCP for reliable, standardized communication.

If you already implement MCP with authentication, you’re 80% of the way to being PASE-compliant. The protocol is designed to be familiar, not revolutionary.

Why the timing is right for PASE

The AI agent skills ecosystem is still in its infancy. The open skill layer standardized only in late 2025 with the adoption of SKILL.md across major AI platforms. The ecosystem has reached a critical mass where foundational interoperability is possible—but a crucial layer remains missing: private skills.

Enterprises are now evaluating AI agent adoption but are blocked by the lack of a standardized way to protect their proprietary workflows. PASE fills this gap by providing a framework that respects both open collaboration and confidentiality. The pieces it relies on—SKILL.md, OAuth 2.1, and x402—are all under Linux Foundation governance, making it feasible for PASE to eventually join them as a standardized protocol.

Next steps and how to get involved

PASE is currently a v0.1 draft specification, with three key documents available for review:

README.md – A high-level overview of use cases and benefits
SPEC.md – The full technical specification for implementers
MOTIVATION.md – The reasoning behind each design decision

The project is open for feedback, technical review, and early adoption. The creator, Amit Gandhi, is seeking input on three fronts:

Real-world pain points – Have you encountered a situation where proprietary skills couldn’t be safely shared? Share your experience in comments or GitHub issues.
Technical feedback – Experts in OAuth 2.1, MCP internals, or x402 are encouraged to review the specification and suggest improvements.
Early implementers – AI agent runtime developers interested in integrating PASE are invited to collaborate.

The protocol’s success depends on broad adoption and refinement. By turning the spotlight on the need for private skills, PASE could redefine how enterprises engage with the AI agent ecosystem—shifting from a model of open sharing to one of secure, controlled collaboration.

The door to proprietary AI skills is currently locked. PASE isn’t just a new protocol—it’s the key.

AI summary

Discover PASE, a new protocol that enables businesses to use private AI skills without exposing proprietary workflows. Learn how it works and why it matters now.