BisenseAI Logo
BisenseAI
Get Started
Back to Use Cases

Creating a Skill Builder App on BisenseAI

Low-Code / No-CodeDifficulty: AdvancedTime to Implement: 3–5 hours

Who This Guide Is For

Developers, agencies, and product teams building a skill builder product on BisenseAI without maintaining separate UI and orchestration codebases. You want BisenseFlow for logic, Weaver for experience, and deploy as API/MCP with observability from day one.

Prerequisites

  • BisenseAI workspace with BisenseFlow and Weaver enabled
  • LLM provider API keys in BisenseAI secrets
  • Sample inputs representing real skill builder scenarios for playground
  • Understanding of workflow I/O port binding to Weaver App Nodes
  • LangSmith or LangFuse project for production traces
  • API gateway or auth layer if exposing public endpoints
  • Review of BisenseAI docs/product-document.md for platform terminology

Key Outcomes

  • Production BisenseFlow workflow for skill builder core logic
  • Weaver UI bound to workflow inputs/outputs with loading and error states
  • Control-flow guards, retries, and structured JSON errors
  • Interactive playground regression fixtures before deploy
  • REST API deploy with rate limits and rotated keys
  • Optional MCP deploy for skill builder tools/resources

Core Challenge

Every new customer integration becomes an engineering ticket when agent tools are hard-coded. Product teams need governed registration of REST and SaaS capabilities—name, JSON Schema parameters, OAuth where possible—without redeploying your API for each skill.

Agents pick tools from descriptions; vague schemas cause wrong calls and data leaks. Execution must be sandboxed, rate-limited, and auditable per tenant.

BisenseFlow validates and persists skill definitions; HTTP and Composio nodes execute at runtime; Weaver provides composer and test playground.

The same execution subgraph can deploy as MCP tools so Claude Desktop shares skills with your in-app Agent.

The 2025-2026 tool ecosystem converged on JSON Schema definitions shared across OpenAI function calling, Anthropic tool_use, and MCP tool manifests (spec 2025-11-25). Claude Skills and evolved Custom GPTs prove users want to extend agents without redeploying code, but production platforms must validate schemas, sandbox HTTP, and audit invocations. BisenseFlow Agent nodes, Composio OAuth actions, and MCP deploy give Skill Builder products this stack visually: one subgraph per skill, dual export to in-platform agents and external MCP hosts, LangSmith traces per invocation.

What You Will Build

Weaver Skill Composer: form for metadata, JSON Schema, Composio gallery or raw HTTP config. Save triggers authoring workflow; Test calls execution subgraph with sample args.

Tools Agent loads skills dynamically per tenant. Approval gate sets is_live before production tool registration.

Runtime path routes tool_call.skill_id → templated HTTP or Composio → JSON back to Agent for next reasoning step.

Optional MCP deploy exposes each skill as a discoverable tool with LLM-friendly descriptions.

Platform Architecture on BisenseAI

BisenseFlow is the source of truth for logic—nodes like LLM, Agent, Vector Store, Text Splitter, HTTP Request, Composio, Playwright, fal.ai, FFmpeg, and custom Python compose visually.

Weaver binds user actions to workflow I/O; real-time execution streams results; time-travel debugging inspects each node output.

Deploy the same workflows as REST APIs or MCP servers so web apps, mobile clients, and Claude Desktop share one runtime.

┌──────────────────┐     ┌─────────────────────────────────┐
│ Weaver Composer  │────▶│ Authoring: validate → persist   │
└────────┬─────────┘     └─────────────────────────────────┘
         │ test                      ▲ load tools[]
         ▼                             │
┌──────────────────┐     ┌─────────────┴───────────────────┐
│ Tools Agent      │────▶│ Runtime: HTTP / Composio        │
└──────────────────┘     └─────────────────────────────────┘
         │ Deploy MCP / REST
         ▼
   Claude Desktop / SaaS API

Dynamic Tool Registration

Agent node fetches skills[] at session start from your API. Each record maps to HTTP template or Composio action_id. Update BisenseFlow graph and redeploy—no mobile release to add capabilities. Tool metadata includes version and is_live flag for safe rollouts. Auto-generate JSON Schema, OpenAI function JSON, and MCP tool manifests from a single BisenseFlow Input node definition. Validate schemas with draft-2020-12 rules in Logic nodes before skills publish to production Agent registries.

Composio OAuth Gallery

Pre-built nodes for Slack, GitHub, Gmail, Notion, Airtable—users pick integrations instead of pasting API keys. BisenseAI manages token refresh; skill rows store composio_action_id only. Reduces support burden for OAuth scope and revocation.

Sandbox and Approval

Logic denylist blocks localhost and private IPs on user URLs. Admin Weaver modal approves is_live=true. HTTP proxy logs request URL, tenant_id, latency for compliance. max_tool_calls caps runaway agent loops.

Weaver Test Playground

Test button passes JSON args to execution subgraph before publish. Time-travel shows which template variable failed validation. Separate Save vs Test I/O bindings prevent accidental production writes.

Backend Logic Canvas (BisenseFlow)

  • JSON Input: skill_name, description, method, url, headers, parameters schema
  • Logic Node: URL validation, RFC1918 denylist, schema draft-07 check
  • HTTP POST persist skill row with tenant_id and version
  • HTTP GET fetch skills?tenant_id for Agent registration
  • Tools Agent with max_tool_calls=5 and dynamic tools array
  • Route tool_call.skill_id to execution subgraph
  • HTTP Request node with Mustache arg templating
  • Composio branch for OAuth SaaS actions
  • Structured error JSON on 4xx/5xx for agent recovery
  • Rate limit Logic per tenant_id before execute
  • LangSmith traces tagged skill_name
  • MCP deploy of execution subgraph per published skill

Frontend Canvas (Weaver Studio)

  • App Nodes for primary user inputs
  • Toolbar or forms mapping to workflow ports
  • Loading and error Logic Nodes
  • Streaming bindings where LLM streams tokens
  • Results panel bound to JSON Output
  • Admin settings route (optional)
  • Playground embed for internal QA
  • Execution status from workflow runner
  • Time-travel debug link for support
  • AI-assisted linking for I/O setup
  • Environment-specific API base URLs
  • Deploy Weaver preview then production

Node Configuration Reference

Text Input

Define ports: user_text, action_enum, tenant_id.

Validate max length in Logic node before LLM calls.

LLM

System prompt specific to action; temperature 0.2–0.7.

Map CONTEXT variables from upstream retriever or state.

Agent

max_tool_calls 5–10; register tools with crisp descriptions.

Attach HTTP/Composio subgraphs as tools.

HTTP Request

Secrets in vault; timeout 30s; retry 429.

Return JSON serializable body to downstream nodes.

Logic

Route on enums; enforce guards (empty selection, unsafe hosts).

Emit structured errors for UI.

JSON Output

Single object for Weaver: result, citations, status, job_id.

Keep fields stable across versions.

JSON Schema quality for tool selection

LLMs choose tools from description text—use action verbs: search_contacts not contacts_api. Enums reduce argument hallucination; keep required fields minimal.

Auto-generate schema from Weaver form types for non-technical users; raw schema panel for power users. Breaking changes require new skill_id to avoid silent agent behavior shifts.

In playground, test ambiguous user questions and confirm the Agent picks the intended skill in LangSmith traces.

Multi-tenant isolation

Derive tenant_id from JWT at gateway—never trust client JSON alone. Fetch and execute paths filter strictly on tenant_id.

Composio connected_account_id mapping per tenant lives in BisenseAI secrets. Audit log stores tool_call args hash and HTTP status for compliance reviews.

Disable skill by setting is_live=false without deleting history—Agent fetch excludes inactive records.

Generating MCP Tool Manifests from Skill Schemas

The MCP specification (revision 2025-11-25) defines tools with name, description, and inputSchema as JSON Schema. A Skill Builder backend workflow reads the user skill definition JSON, validates against draft-2020-12 schema rules, and emits an MCP-compatible tool entry. Streamable HTTP transport replaces legacy SSE for remote MCP servers; BisenseAI MCP deploy handles transport negotiation.

Tool descriptions are the primary signal models use for selection. Invest in LLM-assisted description refinement in the Weaver composer. Run a test Agent loop in the playground with 20 ambiguous prompts; if the wrong skill fires more than 10% of the time, tighten descriptions or add negative examples.

Latest Research & Industry Context (2025–2026)

Claude Skills and the Tool Schema Evolution in 2025-2026

Anthropic Claude Skills (launched late 2024, expanded 2025) let users package instructions, scripts, and tool definitions as reusable capability bundles that Claude loads contextually. OpenAI Custom GPTs evolved similarly toward structured Actions with OpenAPI schemas, while the industry converges on JSON Schema tool definitions compatible with MCP tool manifests. A Skill Builder product must generate valid JSON Schema for parameters, human-readable descriptions that models use for tool selection, and execution endpoints that return structured JSON.

On BisenseAI, each user-defined skill maps to a BisenseFlow subgraph deployed as an Agent tool or MCP tool entry. The Weaver composer UI collects skill name, description, parameter fields, and HTTP/Composio wiring; validation Logic nodes reject schemas missing required fields or containing ambiguous descriptions. Tool descriptions should follow 2025 best practice: state when to use the tool, what it returns, and explicit negative cases (when NOT to call it).

Multi-tenant skill libraries require namespace isolation: skill_id prefixes per tenant, secrets scoped in BisenseAI vault, and sandbox HTTP allowlists preventing SSRF from user-authored endpoints. Rate-limit skill invocations per tenant in the Agent node max_tool_calls setting.

Sources: Anthropic Claude Skills documentation · OpenAI Assistants API tool schemas · MCP spec 2025-11-25

OpenAI Custom GPTs Evolution and Composio OAuth Actions

OpenAI function calling and Anthropic tool_use share a convergent pattern: the model emits structured arguments, runtime validates against schema, executes, and returns tool_result messages. Skill Builder apps that export to both MCP and native Agent nodes should maintain one canonical schema in the BisenseFlow workflow Input node and auto-generate MCP tool definitions and OpenAI function JSON from it.

Composio integration on BisenseFlow provides pre-built OAuth-connected actions (Slack, GitHub, Salesforce) that users compose into skills without writing HTTP boilerplate. Wrap Composio actions with user-defined parameter mapping in the skill composer, exposing only the fields end users should control.

Schema versioning matters: breaking parameter renames require new skill_version metadata while in-flight agent runs complete on the prior version. Weaver diff UI and playground regression fixtures catch backward-incompatible changes before publish.

Sandboxing and Validation for User-Authored Agent Tools

Letting end users define agent tools creates SSRF, credential leakage, and prompt injection surfaces that production platforms must gate. 2025-2026 best practice combines JSON Schema validation on inputs, outbound HTTP allowlists (domain + path patterns), timeout caps (30s default), response size limits (1MB), and optional human-in-the-loop approval for write operations.

BisenseFlow Logic nodes should classify skills as read-only (GET, search) vs mutating (POST, DELETE) and route mutating invocations through Weaver approval gates when tenant policy requires it. Log every skill invocation with tenant_id, skill_id, arguments hash, and latency in LangSmith for audit.

Test skills in the Weaver playground with adversarial inputs: oversized payloads, SQL injection strings in parameters, and internal IP URLs in HTTP nodes should all fail validation before reaching external networks.

Sources: OWASP LLM Top 10 2025 · MCP security guidelines

Step-by-Step: Build in BisenseAI

  1. 1

    Create skill-builder BisenseFlow workflow

    New workflow `skill-builder-core` on BisenseFlow canvas.

    Add Input nodes; connect to first processing node.

  2. 2

    Configure primary LLM/Agent nodes

    Set prompts, temperature, max_tokens in node panels.

    Playground sample input; time-travel outputs.

  3. 3

    Add integrations

    Wire HTTP, Composio, fal.ai, FFmpeg, or Playwright as needed.

    Store credentials in BisenseAI secrets.

  4. 4

    Control-flow and errors

    Logic branches for validation; retry loops on 429/5xx.

    Structured JSON errors.

  5. 5

    JSON Output schema

    Define stable fields for Weaver.

    Document in README.

  6. 6

    Weaver UI

    App Nodes + I/O binding + AI-assisted linking.

    Loading/error states.

  7. 7

    Streaming (if applicable)

    Enable LLM stream mode; map to UI callback.

    Debounce rapid clicks.

  8. 8

    Playground regression

    Save 5–10 fixtures.

    Time-travel diff after changes.

  9. 9

    Observability

    LangSmith/LangFuse on.

    Review first 50 traces.

  10. 10

    Deploy REST API

    Deploy panel; gateway rate limits.

    Rotate keys.

  11. 11

    Optional MCP

    MCP Server deploy; Claude Desktop test.

    Separate tools vs resources.

  12. 12

    Production launch

    Complete productionChecklist.

    Monitor 24h error rate.

Production Checklist

  • Playground fixtures pass
  • Secrets not in exported graphs
  • Stable JSON Output schema
  • Rate limits configured
  • LangSmith/LangFuse enabled
  • Error branches tested
  • RBAC on Weaver routes
  • Retry policy on HTTP nodes
  • Deploy keys rotated
  • Runbook published
  • Cost alerts configured
  • MCP descriptions accurate (if used)

Common Pitfalls

Monolithic mega-prompt

Split per-action subgraphs on BisenseFlow for quality and cost.

Missing guards

Empty inputs should not call LLM—use Logic nodes.

Unstable JSON shape

Weaver breaks when Output fields rename—version carefully.

No traces

Enable LangSmith before launch—not after incidents.

Unbounded loops

Cap iterations and agent max_tool_calls.

Frequently Asked Questions

How do Claude Skills differ from what I build in a Skill Builder on BisenseAI?

Claude Skills are Anthropic-hosted capability bundles for Claude clients. A BisenseAI Skill Builder lets YOUR users create tools for YOUR product agents, exported as BisenseFlow Agent tools or MCP tools for any model host. You control validation, tenancy, billing, and observability. Skills authored in your builder deploy to your MCP server or REST API, not Anthropic skill marketplace.

What JSON Schema patterns work best for LLM tool selection?

Use clear tool names (snake_case verbs: search_contacts, create_invoice). Descriptions must say when to use the tool and what it returns. Required parameters should be minimal; use enums for fixed choices. BisenseFlow Input nodes define the canonical schema; auto-generate OpenAI function and MCP tool manifests from the same source to avoid drift.

Can users attach Composio integrations without code?

Yes. The Weaver skill composer lists Composio actions with OAuth already handled. Users map skill parameters to Composio action fields visually on BisenseFlow. Secrets stay in BisenseAI vault; exported skill templates never contain credentials.

How do I prevent malicious HTTP endpoints in user-defined skills?

Enforce outbound allowlists in HTTP Request node configuration: only approved domains per tenant tier. Block RFC1918 IPs, metadata endpoints (169.254.169.254), and file:// schemes in Custom Python validators. Run skills in a sandbox tier with read-only Composio scopes until admin approval promotes them to production.

Should skills deploy as MCP tools or Agent subgraphs?

Agent subgraphs suit in-platform agents on BisenseFlow with shared memory and HITL. MCP tools suit external clients (Claude Desktop, Cursor, custom apps) discovering capabilities via standard manifests. Publish both from the same BisenseFlow workflow using dual deploy targets; keep descriptions identical to prevent model confusion.

How do I version skills when users edit them?

Assign monotonic skill_version in metadata. Agent nodes reference skill_id@version; breaking schema changes require new version while old agents finish in-flight runs. Weaver UI shows diff between versions; playground regression fixtures validate backward compatibility before publish.

Let your users extend your agents

Combine Agent, Composio, and HTTP nodes on BisenseAI.

Start Building Skills