The gap between a chatbot and an AI agent is bridged by tool calling โ the mechanism that allows a language model to request the execution of real functions with real effects. Understanding how this works at a technical level demystifies what agents actually do and clarifies why safety controls matter at the architecture level, not just as a UI feature.
The Basics of Tool Calling
Language models generate text. To take actions, they need to generate text that the surrounding system can parse as a function call. Tool calling (also called function calling) is a standardised way to do this.
The process works like this: before sending the user's message to the model, you include in the system context a list of available tools, each described by a JSON schema:
{
"name": "send_email",
"description": "Send an email to a recipient",
"parameters": {
"type": "object",
"properties": {
"to": { "type": "string", "description": "Recipient email address" },
"subject": { "type": "string", "description": "Email subject line" },
"body": { "type": "string", "description": "Email body in plain text" }
},
"required": ["to", "subject", "body"]
}
}When the model decides it should use a tool, instead of generating a text reply, it generates a structured tool call response:
{
"tool_call": {
"name": "send_email",
"arguments": {
"to": "sarah@example.com",
"subject": "Project update",
"body": "Hi Sarah, here is the update you requested..."
}
}
}Your code โ the "agent framework" โ receives this, parses it, and executes the actual function. The result is then returned to the model as the next message in the conversation, and the model generates its final response based on that result.
The ReAct Loop
Most real agentic tasks require more than one tool call. The ReAct (Reason + Act) loop handles multi-step execution. The model interleaves reasoning steps ("I need to check Sarah's availability before scheduling the meeting") with action steps (calling the calendar tool), and uses each action's result to inform the next reasoning step.
A complete ReAct loop for "Schedule a 30-minute call with Sarah this week" might look like:
Reason: I need to check Sarah's calendar availability and mine. Act: Call get_calendar_availability(person="Sarah", week="current"). Observe: Sarah is free Tuesday 3pm, Thursday 10am. Reason: Check my own availability for those slots. Act: Call get_my_availability(slots=["Tuesday 3pm", "Thursday 10am"]). Observe: I am free both slots. Reason: Create the event and send the invite. Act: Call create_calendar_event(title="Call with Sarah", time="Tuesday 3pm", duration=30, invite=["sarah@example.com"]). Observe: Event created, invite sent. Respond: "Done โ I scheduled a 30-minute call with Sarah for Tuesday at 3pm."
The user sees only the initial request and the final response. All the intermediate reasoning and tool calls happen in the agent loop.
Why Safety Modes Operate at This Layer
Safety controls in Skales operate at the tool execution layer, not at the UI layer. This is important: a UI-level safety check (a button that asks "are you sure?") can be bypassed by a fast-clicking user or an agent acting autonomously. A tool-level safety check intercepts the execution request before it reaches the actual function, regardless of how the request was generated.
When the agent framework receives a tool call request, before routing it to the actual function, it checks the tool against the current Safety Mode:
if (safetyMode === 'safe' && BLOCKED_TOOLS.includes(toolName)) {
return { error: 'Tool blocked in Safe mode' }
}
if (safetyMode === 'advanced' && REVIEW_TOOLS.includes(toolName)) {
const approved = await requestUserApproval(toolName, args)
if (!approved) return { error: 'User declined' }
}The approval flow sends an IPC event to the renderer, which renders the approve/decline card. If the user declines, the tool call returns an error, the model sees that the action was declined, and it adjusts its plan accordingly.
This architecture means that even in an autonomous multi-step execution, dangerous operations are intercepted at the right layer. See the FAQ for more on Safety Modes and features overview.