e3c0084140
The security scanner is meant to protect against hostile external skills pulled from GitHub via hermes skills install — trusted/community policies block or ask on dangerous verdicts accordingly. But agent-created skills (from skill_manage) run in the same process as the agent that wrote them. The agent can already execute the same code paths via terminal() with no gate, so the ask-on-dangerous policy adds friction without meaningful security. Concrete trigger: an agent writing a PR-review skill that describes cache-busting or persistence semantics in prose gets blocked because those words appear in the patterns list. The skill isn't actually doing anything dangerous — it's just documenting what reviewers should watch for in other PRs. Change: agent-created dangerous verdict maps to 'allow' instead of 'ask'. External hub installs (trusted/community) keep their stricter policies intact. Tests updated: renamed test_dangerous_agent_created_asks → test_dangerous_agent_created_allowed; renamed force-override test and updated assertion since force is now a no-op for agent-created (the allow branch returns first).