Gemini Spark Skills Are Just Trigger-Condition Prompts: How to Write Always-On Agent Instructions That Don't Go Rogue

Google announced Gemini Spark at I/O on May 19, 2026. The headline feature: "Skills" that run 24/7 on Google's cloud, firing on events even when your phone is off. An email arrives, the agent extracts data, logs it to a spreadsheet. No command needed. No app open.

Strip away the branding and you're looking at a prompt template with a trigger attached to it. That's not a criticism. It's the point. The pattern underneath Spark Skills is the same pattern you need for Claude Code Routines, ChatGPT Agents, or any persistent agent you want running unsupervised. And if you get the prompt wrong, 65% of organizations have already learned what happens next: data exposure, unintended actions, operational disruption (Cloud Security Alliance / Token Security, 2026).

This post breaks down that pattern so you can write it yourself for any platform.

The TCAG pattern

Every well-structured always-on agent instruction has four parts. I call it TCAG: Trigger, Condition, Action, Guardrail.

Here's what Google showed for Spark:

"When I receive an email inquiring about my photography services, automatically extract the client's name, requested date, and log the lead in my Client Tracker Sheet."

Decomposed:

• Trigger: Email received
• Condition: Content matches photography service inquiry
• Action: Extract name + date, write to specific Sheet
• Guardrail: (Missing -- and that's the problem with most first drafts)

The trigger is what wakes the agent up. The condition filters whether it should act. The action is what it does. The guardrail is everything it must not do, plus the approval gates that keep it from going sideways at 3 AM.

Most people write the first three and skip the fourth. That's how you get an agent that replies to every email in your inbox because the condition was too broad, or one that overwrites your spreadsheet because the action had no scope limit.

Writing each layer

Triggers: be specific about the event

A trigger is not "monitor my email." A trigger is "when a new email arrives in my primary inbox from an address not in my contacts." The more specific your trigger, the fewer false activations you deal with.

Across the three major platforms right now:

• Gemini Spark: Event-driven (email, calendar, document changes within Google Workspace)
• Claude Code Routines: Cron schedules, API webhooks (/fire endpoint), GitHub events (PR opened, release published)
• ChatGPT Agents: Custom GPT actions triggered by user-defined conditions

Each platform has different trigger vocabulary, but the prompting discipline is identical: name the exact event, not a vague category.

Conditions: the filter that prevents chaos

The condition is your first line of defense. It answers: "The trigger fired, but should the agent actually do anything?"

Bad condition: "If the email is about business." Good condition: "If the email subject or body contains a request for photography pricing, availability, or booking, AND the sender is not already in my Client Tracker Sheet."

That second version prevents duplicate entries and limits scope to actual booking inquiries rather than every vaguely business-related email.

The Prompt:

You are a persistent background agent monitoring my Gmail inbox.

TRIGGER: New email arrives in Primary inbox.

CONDITION: Act ONLY if ALL of the following are true:
1. The email body or subject asks about photography session pricing, availability, or booking
2. The sender's email address does NOT already exist in column B of my "Client Tracker" Google Sheet
3. The email is NOT a newsletter, automated receipt, or marketing message

If any condition fails, take no action and log nothing.

ACTION: Extract the sender's name, email, requested date (if mentioned), and a one-line summary of their request. Append a new row to the "Client Tracker" Sheet with these fields plus today's date.

GUARDRAIL: Never reply to the email. Never modify existing rows. Never access any Sheet other than "Client Tracker." If you cannot confidently extract a requested date, leave that cell blank rather than guessing.

Why This Works: The condition layer does the heavy lifting. Three explicit filters prevent false positives, and the negative condition (newsletters, receipts) catches the most common edge case. The guardrail section then limits blast radius -- even if the condition somehow passes incorrectly, the agent can only append rows to one specific sheet.

Expected Output:

New row added to Client Tracker: | Date | Name | Email | Requested Date | Summary | | 2026-05-21 | Sarah Chen | [email protected] | June 14 | Asking about 2-hour portrait session pricing for family of four |

Actions: scope them to the minimum

Write actions like you're granting database permissions. The agent should have the narrowest possible capability to complete the task.

"Update my spreadsheet" is too broad. "Append a new row to the Client Tracker sheet in columns A through E" is scoped. "Draft a reply" is too broad. "Draft a reply and save it to my Drafts folder without sending" keeps a human in the loop.

Guardrails: the part everyone skips

This is where the pattern earns its keep. Guardrails cover three things:

What the agent must never do. Explicit deny-lists. "Never send an email without my approval. Never delete rows. Never access financial data."

Approval gates for high-risk actions. The industry is converging on a tiered model: full autonomy for read-only and low-risk actions, human-on-the-loop monitoring for medium-risk, and hard human-in-the-loop approval for anything involving money, external communication, or data deletion. A 2026 study by GetClaw found that teams using batch approval (queue 10-50 proposed actions, review them in a few minutes) reclaimed 10-30 hours per month without giving the agent unsupervised access.

Logging and audit trails. CyberArk's 2026 prediction nailed this: "A runaway agent won't look dramatic. It will appear legitimate, authenticate successfully, and act quickly." The failure mode you should fear isn't a spectacular crash. It's quiet drift -- the agent doing something slightly wrong, thousands of times, while reporting success. Every guardrail section should include a logging requirement.

A real-world TCAG for Claude Code Routines

Here's a complete skill prompt for a Claude Code Routine that monitors a GitHub repo:

The Prompt:

TRIGGER: GitHub pull request opened against the `main` branch of myorg/api-service.

CONDITION: Act only if:
1. The PR modifies files in `src/auth/` or `src/middleware/`
2. The PR author is not in the CODEOWNERS list for those paths
3. The PR has no existing review from a security team member

ACTION:
1. Read the full diff of changed files in src/auth/ and src/middleware/
2. Check for: hardcoded credentials, disabled authentication checks, overly permissive CORS headers, unvalidated user input passed to database queries
3. Post a review comment summarizing findings with specific line references
4. If any critical finding exists, request changes. Otherwise, approve with notes.

GUARDRAIL:
- Never merge, close, or modify the PR beyond posting a review
- Never approve a PR that introduces a hardcoded secret, regardless of context
- If the diff exceeds 500 lines, post a comment requesting the PR be split and take no further action
- Log every review action to the #security-reviews Slack channel with PR number and verdict

Why This Works: The condition layer prevents noise -- it only fires on security-sensitive paths from non-owners without existing security review. The guardrail caps the blast radius (can't merge, can't approve secrets) and includes an escape hatch for oversized PRs that would exceed the agent's reliable analysis window. The logging requirement creates an audit trail.

Expected Output:

Security Review -- PR #847 Reviewed 3 files in src/auth/: token_validator.py, session_middleware.py, cors_config.py

Finding (line 42, cors_config.py): allow_origins=["*"] permits requests from any domain. Recommend restricting to known frontend domains.

Finding (line 15, session_middleware.py): Session token is compared using == instead of a constant-time comparison function. This creates a timing side-channel.

No hardcoded credentials detected. Requesting changes for the two findings above.

The money problem

The crypto AI trading competition of 2025 is the cautionary tale here. Autonomous trading agents, given real capital, lost between 30% and 63% of their starting funds. One model burned through nearly two-thirds of its allocation.

This is why the Agentic Risk Standard (ARS), published April 2026 by researchers from Google DeepMind, Microsoft Research, and Columbia University, applies financial risk management concepts -- escrow, collateral, underwriting -- to agent transactions. The principle: if your agent can spend money, it needs the same controls you'd put on a junior employee with a corporate card.

In prompt terms, that means:

• Hard spending caps per action and per day
• Mandatory human approval above a threshold
• No access to payment methods without explicit per-transaction authorization
• Cooldown periods between high-value actions

97% of enterprise leaders expect an AI agent incident within a year, but only 6% of budgets address agent governance (Black Hat MEA, 2026). The gap between deployment speed and safety is the defining tension of 2026. Your prompt guardrails are the cheapest, fastest safety layer you can deploy.

The portable skill format

One encouraging development: the SKILL.md open standard has gone cross-platform. What started as Gemini CLI's skill format now works with Claude Code, Codex CLI, Cursor, and OpenClaw. Same frontmatter structure (name, description, trigger metadata), same directory conventions. A skill written for one agent runtime works on others.

This means the TCAG pattern isn't platform-specific knowledge. Write your trigger-condition-action-guardrail prompt once, package it as a SKILL.md file, and it runs wherever your team's agent infrastructure lives. The prompt is becoming portable infrastructure.

Start with read-only

If you're writing your first always-on agent skill, start with something that can only read and report. A daily summary of unread emails by category. A weekly count of open PRs by author. A Monday morning digest of calendar conflicts.

No writes, no sends, no deletes. Get comfortable with the trigger and condition layers before you let the agent touch anything. Then add write actions one at a time, each with its own guardrail. Graduate from read-only to append-only to full actions as your trust in the prompt's condition filtering grows.

The agents are already running. 75% of businesses plan to deploy them by end of 2026 (Deloitte). The question isn't whether you'll write always-on agent instructions. It's whether your guardrail layer will be there when the trigger fires at 3 AM and the condition is ambiguous.

Write the guardrails first. Add the actions second.

If your team is building persistent agent workflows and wants hands-on training on prompt safety patterns, connect with Kief Studio on Discord or schedule a session.