AI doing things
This is how AI books your meeting or sends your email.
Tools give the LLM hands. LLM means large language model. Alone, the model produces text. With tools, the model can call a function you wrote. Check the weather. Run a calculation. Send an email. The model decides which tool to call based on your request, the tool runs, and the result comes back for the model to use in its answer.
Tools turned on. The model can now call functions and act in the world.
The process
You define a set of tools. Each tool has a name, a short description, and a list of inputs. For example: a tool named “get_weather” with a description “returns the current weather for a given city” and one input “city.”
When the user asks a question, the LLM reads the question and the list of tools. If the question matches a tool (“what’s the weather in Paris?”), the model emits a structured request: “call get_weather with city=Paris.” Your code runs the tool, gets the answer, and passes it back to the model. The model then writes the human-readable reply.
If no tool matches, the model answers from its training. Tools are used when needed.
You’ve encountered this when…
You told ChatGPT in voice mode to set a timer, and it set the timer. You asked Claude in the desktop app to check today’s weather before suggesting an outfit, and it checked. You asked an AI assistant to send an email, and it drafted and sent one. All of those are tool calls.
A familiar example
Think about hiring a research assistant. You give them a phone, a laptop, and a list of things they are allowed to do: book travel, check prices, email the team. They figure out which phone number to dial or which website to check for each task. Tools give the LLM the same kind of list. The model reads the list and picks the right one for your request.
Variants include
Function calling (OpenAI and Anthropic APIs)
The standard way to wire tools into an LLM. Your code sends the LLM a list of tool definitions. The model returns either a text answer or a structured tool call. Both OpenAI and Anthropic support this in their APIs.
Structured outputs
A related feature. The LLM is asked to return a specific JSON shape, like a product record or a form submission. The model’s output is checked against the shape before returning. This makes LLMs safer to plug into normal software.
The breaking point
The model picks which tool to call based on the tool’s name and description. Write a vague description, the model ignores the tool. Write two tools with overlapping descriptions, the model picks one at random. Tool design is more prompt engineering than software engineering, and teams spend weeks tuning descriptions to get reliable behaviour.
Your takeaway
Tools are what turn an LLM from a chat partner into a worker. Every time ChatGPT or Claude does something that needs real-time data or action in the world, a tool call made it possible.
MCP: standardised tools
Tools work. Custom tool integrations break. Every developer building on Claude wired up their own version of “send an email” or “read a calendar”. None of them spoke to each other. The Model Context Protocol (MCP) fixes this.
MCP is an open standard. A tool built once works with any MCP-compatible AI. A calendar tool, a database tool, a file system tool. The AI does not need to know how the tool is built. The tool does not need to know which AI is calling it. They both speak MCP.
For users this means the AI in your favourite app can plug into other apps without custom code. For developers it means shared tool libraries instead of point integrations. Anthropic, Cursor, and several others have shipped MCP support.
Agent loops: AI working on its own
A tool call is a single action. An agent loop is a chain of them. The AI decides which tool to call next based on what the previous tool returned. It keeps going until the task is done.
A simple example: you ask the AI to research a competitor. It calls a search tool. It reads the results. It calls a fetch tool to read the most relevant page. It calls a summary tool. It writes a report. Five tool calls, no human in between.
Agent loops produce the things people mean when they say “AI assistant.” Booking a meeting that involves checking three calendars. Triaging an inbox. Investigating a support ticket end to end. The agent runs alone. The user sees the result.
Prompt injection: the security catch
Tool-using AI is the highest-stakes attack surface in 2026. An attacker can hide instructions inside a document. The AI reads the document, treats the hidden instructions as legitimate, and uses its tools to do the attacker's bidding. This is prompt injection.
The defence is the same as for any user-trusted input: validate, sandbox, and log. The AI should never run high-impact tools (delete files, send money, share data) without explicit user confirmation. Tool calls should run in least-privilege environments. Every action should be logged so a wrong action can be reverted.
Most consumer chats are not tool-enabled, so this risk does not affect them. The risk lands hard on enterprise deployments and autonomous agents. If the agent in front of you can take actions, ask whether prompt injection has been considered before you trust it with anything sensitive.
Use this page with your AI
Copy the prompt below. Paste it into Claude, Copilot, Gemini, or any AI you use. The AI will ask you simple questions, then teach the page back to you using your own work as the example.
You are an expert teacher and AI strategist. Read the page below as your reference material.
PAGE: Tools
CONTENT:
## Essence
Tools give the LLM hands. LLM means large language model. Alone, the model produces text. With tools, the model can call a function you wrote. Check the weather. Run a calculation. Send an email. The model decides which tool to call based on your request, the tool runs, and the result comes back for the model to use in its answer.
## The process
You define a set of tools. Each tool has a name, a short description, and a list of inputs. For example: a tool named "get_weather" with a description "returns the current weather for a given city" and one input "city."
When the user asks a question, the LLM reads the question and the list of tools. If the question matches a tool ("what's the weather in Paris?"), the model emits a structured request: "call get_weather with city=Paris." Your code runs the tool, gets the answer, and passes it back to the model. The model then writes the human-readable reply.
If no tool matches, the model answers from its training. Tools are used when needed.
## You've encountered this when...
You told ChatGPT in voice mode to set a timer, and it set the timer. You asked Claude in the desktop app to check today's weather before suggesting an outfit, and it checked. You asked an AI assistant to send an email, and it drafted and sent one. All of those are tool calls.
## A familiar example
Think about hiring a research assistant. You give them a phone, a laptop, and a list of things they are allowed to do: book travel, check prices, email the team. They figure out which phone number to dial or which website to check for each task. Tools give the LLM the same kind of list. The model reads the list and picks the right one for your request.
## Variants include
- Function calling (OpenAI and Anthropic APIs). The standard way to wire tools into an LLM. Your code sends the LLM a list of tool definitions. The model returns either a text answer or a structured tool call. Both OpenAI and Anthropic support this in their APIs.
- Structured outputs. A related feature. The LLM is asked to return a specific JSON shape, like a product record or a form submission. The model's output is checked against the shape before returning. This makes LLMs safer to plug into normal software.
## The breaking point
The model picks which tool to call based on the tool's name and description. Write a vague description, the model ignores the tool. Write two tools with overlapping descriptions, the model picks one at random. Tool design is more prompt engineering than software engineering, and teams spend weeks tuning descriptions to get reliable behaviour.
## Your takeaway
Tools are what turn an LLM from a chat partner into a worker. Every time ChatGPT or Claude does something that needs real-time data or action in the world, a tool call made it possible.
## MCP: standardised tools
Tools work. Custom tool integrations break. Every developer building on Claude wired up their own version of "send an email" or "read a calendar". None of them spoke to each other. The Model Context Protocol (MCP) fixes this.
MCP is an open standard. A tool built once works with any MCP-compatible AI. A calendar tool, a database tool, a file system tool. The AI does not need to know how the tool is built. The tool does not need to know which AI is calling it. They both speak MCP.
For users this means the AI in your favourite app can plug into other apps without custom code. For developers it means shared tool libraries instead of point integrations. Anthropic, Cursor, and several others have shipped MCP support.
## Agent loops: AI working on its own
A tool call is a single action. An agent loop is a chain of them. The AI decides which tool to call next based on what the previous tool returned. It keeps going until the task is done.
A simple example: you ask the AI to research a competitor. It calls a search tool. It reads the results. It calls a fetch tool to read the most relevant page. It calls a summary tool. It writes a report. Five tool calls, no human in between.
Agent loops produce the things people mean when they say "AI assistant." Booking a meeting that involves checking three calendars. Triaging an inbox. Investigating a support ticket end to end. The agent runs alone. The user sees the result.
### Prompt injection: the security catch
Tool-using AI is the highest-stakes attack surface in 2026. An attacker can hide instructions inside a document. The AI reads the document, treats the hidden instructions as legitimate, and uses its tools to do the attacker's bidding. This is prompt injection.
The defence is the same as for any user-trusted input: validate, sandbox, and log. The AI should never run high-impact tools (delete files, send money, share data) without explicit user confirmation. Tool calls should run in least-privilege environments. Every action should be logged so a wrong action can be reverted.
Most consumer chats are not tool-enabled, so this risk does not affect them. The risk lands hard on enterprise deployments and autonomous agents. If the agent in front of you can take actions, ask whether prompt injection has been considered before you trust it with anything sensitive.
Your job:
1. Ask me 3 to 5 simple questions about my work, my situation, and what I would actually use AI for. One question at a time. Wait for my answer between each.
2. Once you have my answers, explain the key ideas from the page back to me, using my answers as the example.
3. Suggest one concrete next step I could take this week. Tie it back to the page.
4. Push back if my answer is vague. Ask me to be specific.
Rules for you:
- Do not flatter me.
- Do not agree with me when I am wrong.
- If you do not know something, say so.
- Be brief. Two paragraphs at most per turn.
- Ask one question at a time. Do not stack questions.