Closing the Context Gap: Why MCP + Skills Works

A deep dive into the keynote by Pedro Rodrigues at MCP Dev Summit North America 2026

Pedro Rodrigues, AI Tooling Engineer at Supabase, challenged a growing rift in the developer community. “People keep asking if they should build an MCP server or use Agent Skills,” Rodrigues noted. “But that’s the wrong frame. They aren’t competitors; they are the two halves of a working agent.”

Rodrigues’ talk addressed the “Context Gap”—the space between an agent having the capability to do work (via tools) and the knowledge to do it safely and correctly (via context).

Capability vs. Knowledge: Solving the Context Gap

The central thesis of the Supabase approach is that capability is no longer the bottleneck; context is. While the Model Context Protocol (MCP) provides the “steering wheel” (the ability to execute SQL, list projects, or manage Edge Functions), agents often crash because they lack the “driving lessons” (procedural knowledge).

Rodrigues mapped the relationship across three core primitives:

• Tools vs. Scripts: MCP tools rely on strictly typed JSON schemas and isolated execution. Agent Skills favor “instant iteration,” allowing agents to author and run scripts dynamically to solve the “last mile” of a task.
• Resources vs. References: While MCP Resources allow an agent to read data, they are often underutilized because the agent doesn’t know when to fetch them. Skills solve this by bundling references/—static documentation files that the agent is explicitly instructed to load during specific task triggers.
• Prompts vs. SKILL.md: Instead of relying on brittle system prompts, the SKILL.md standard provides a structured manifest that guides agent behavior across 18+ different coding assistants (Cursor, Claude Code, GitHub Copilot).

The Security Blind Spot: The RLS “security_invoker” Case Study

To demonstrate the danger of the “Context Gap,” Rodrigues showcased a live failure of a standard agentic workflow.

The Scenario: An agent is tasked with creating a Postgres View for a sensitive dashboard.

• The Baseline Agent: Relies on training data. It knows how to write a CREATE VIEW statement but fails to realize that in Supabase, views bypass Row Level Security (RLS) by default.
• The Result: The agent ships an insecure view that exposes private user data to the anon role.

The Solution: By loading the Supabase Agent Skill, the agent is forced to verify against live documentation before implementing code. The skill explicitly flags the Postgres 15+ requirement for WITH (security_invoker = true). In the demo, the skill-equipped agent proactively identified the security trap, searched the docs, and implemented the fix before the user even asked.

Benchmarking “MCP + Skills” for Agentic Reliability

Supabase conducted internal benchmarks to quantify the value of adding procedural context to tool execution. They tested agents on complex database migrations and security audits across three conditions:

1. Baseline: No tools or skills (Agent relies purely on pre-training). Result: High hallucination; 0% security compliance.
2. MCP Only: Agent has access to the Supabase MCP server but no skill. Result: High capability, but “guessing” at tool combinations.
3. MCP + Skills: The agent has both. Result: 100% success rate on security-critical tasks.

The data showed that MCP alone is not enough. Without a skill to steer it, the MCP-only agent often ignored the search_docs tool entirely, defaulting to its (potentially outdated) training data.

Progressive Disclosure: Combatting Token Bloat

A critical concern for 2026 agentic workflows is token saturation. Loading every piece of documentation into a 200k context window is expensive and degrades model attention.

Rodrigues advocated for Progressive Disclosure. The Supabase skill instructs agents to:

• Fetch, don’t replicate: Use the MCP search_docs tool to pull only relevant snippets.
• Markdown Fetching: Append .md to any Supabase docs URL to get a clean, LLM-ready version of the page on demand.
• Layered Knowledge: Keep the absolute essentials (like the RLS security checklist) in SKILL.md, but leave the deep API references in external files that are only opened when the agent is “blocked.”

Resources & Validation Checklist

• Primary Project: Supabase Agent Skills (GitHub)
• Documentation: Supabase MCP & Skills Guide
• Standard Manifest: SKILL.md Specification
• Standards: Model Context Protocol (MCP) | AGENTS.md
• Supporting Tools: Zed Editor | Claude Code | Cursor
• Key Takeaway: The path to production-grade AI agents requires a hybrid architecture: MCP for the interface to the system, and Agent Skills for the expert judgment required to use that interface safely.

Ready to contribute? Visit aaif.io/projects to join the Agentic AI Foundation and help shape the future of open agent standards. More events are on the way, see what’s coming at aaif.io/events.