What is tool use — how an AI agent presses real buttons

Here's the thing that breaks people's mental model: a language model on its own can't do anything. It can't go online, send an email, or check the weather. The only thing it physically does is finish a piece of text. So where do AI agents that actually do things come from?

The answer is tool use. And it's far simpler than it sounds.

What it is

Tool use is a deal between you and the model: you hand it a list of buttons and a description of what each one does. When an answer needs one of them, the model doesn't press it (it can't) — it writes: "press the weather button with city = Moscow." Your code sees that, actually calls the weather service, and hands the result back to the model. The model reads it and continues the conversation.

So the model is the brain that says "do this." The hands are your code. An LLM thinks in words; tools give those words a way out into the real world.

How it works, step by step

1. You describe the tools. E.g. get_weather(city) — "returns the weather," send_email(to, body) — "sends an email." Just a name, what it does, what parameters it takes.
2. The user asks. "What's the weather in St. Petersburg?"
3. The model realizes words won't cut it — it needs a tool. Instead of plain text it emits a structured call: get_weather(city="St. Petersburg").
4. Your code runs it. It actually hits the weather service and gets "+14°C, rain."
5. The result goes back to the model. It reads "+14, rain" and writes a normal reply: "It's +14 and raining in St. Petersburg — grab an umbrella."

The key point: the model decides for itself when a tool is needed and when it can answer from memory. "What's 2+2" — instant answer. "What meetings do I have tomorrow" — it knows it has to check the calendar.

Why it matters to you

Because it's the line between a chatbot and an agent. Without tools, an AI is a smart conversationalist who knows a lot but is locked in a room. With tools, it starts to act: book, search, fix, publish.

And tool use is exactly what you'll configure when you build your first agent. Which surfaces the main safety rule: give exactly the buttons it needs. A read_files tool is nearly harmless. A delete_everything tool is a loaded gun. The fewer privileges, the less damage when something goes wrong.

Is MCP the same thing?

Yes — MCP is a standard that describes tools so any model and any app understand them the same way. Instead of hand-describing each button for each model, you plug in a ready MCP server and the tools just appear. Tool use is the idea; MCP is a convenient shared socket for it.

Is it safe?

The mechanism itself, yes. The danger isn't in tools but in what you allowed. A tool that only reads the weather — zero risk. A tool that spends money or sends mail — needs guardrails: confirmations, limits, validation of inputs (see prompt injection). The rule is simple: treat every tool as a privilege you grant, not just a function you added.

How is tool use different from a plugin?

A plugin is a specific implementation (a ready integration inside some product). Tool use is the general principle underneath. Plugins, extensions, "functions," MCP servers — they're all different wrappers around the same idea: give the model buttons, and give its words a way out into the world.