From 0fab46f65ca219420b2eb9303518b7e5dda8f369 Mon Sep 17 00:00:00 2001
From: Test <test@test.com>
Date: Tue, 17 Mar 2026 12:18:53 -0700
Subject: [PATCH] fix: allow agent-created skills with caution-level findings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Agent-created skills were using the same policy as community hub
installs, blocking any skill with medium/high severity findings
(e.g. docker pull, pip install, git clone). This meant the agent
couldn't create skills that reference Docker or other common tools.

Changed agent-created policy from (allow, block, block) to
(allow, allow, block) — matching the trusted policy. Caution-level
findings (medium/high severity) are now allowed through, while
dangerous findings (critical severity like exfiltration, prompt
injection, reverse shells) remain blocked.

Added 4 tests covering the agent-created policy: safe allowed,
caution allowed, dangerous blocked, force override.
---
 tests/tools/test_skills_guard.py | 28 ++++++++++++++++++++++++++++
 tools/skills_guard.py            |  2 +-
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/tests/tools/test_skills_guard.py b/tests/tools/test_skills_guard.py
index 7bcf55e81..d67057776 100644
--- a/tests/tools/test_skills_guard.py
+++ b/tests/tools/test_skills_guard.py
@@ -154,6 +154,34 @@ class TestShouldAllowInstall:
         assert allowed is True
         assert "Force-installed" in reason
 
+    # -- agent-created policy --
+
+    def test_safe_agent_created_allowed(self):
+        allowed, _ = should_allow_install(self._result("agent-created", "safe"))
+        assert allowed is True
+
+    def test_caution_agent_created_allowed(self):
+        """Agent-created skills with caution verdict (e.g. docker refs) should pass."""
+        f = [Finding("docker_pull", "medium", "supply_chain", "SKILL.md", 1, "docker pull img", "pulls Docker image")]
+        allowed, reason = should_allow_install(self._result("agent-created", "caution", f))
+        assert allowed is True
+        assert "agent-created" in reason
+
+    def test_dangerous_agent_created_blocked(self):
+        """Agent-created skills with dangerous verdict (critical findings) stay blocked."""
+        f = [Finding("env_exfil_curl", "critical", "exfiltration", "SKILL.md", 1, "curl $TOKEN", "exfiltration")]
+        allowed, reason = should_allow_install(self._result("agent-created", "dangerous", f))
+        assert allowed is False
+        assert "Blocked" in reason
+
+    def test_force_overrides_dangerous_for_agent_created(self):
+        f = [Finding("x", "critical", "c", "f", 1, "m", "d")]
+        allowed, reason = should_allow_install(
+            self._result("agent-created", "dangerous", f), force=True
+        )
+        assert allowed is True
+        assert "Force-installed" in reason
+
 
 # ---------------------------------------------------------------------------
 # scan_file — pattern detection
diff --git a/tools/skills_guard.py b/tools/skills_guard.py
index df62edbe6..3702a2b69 100644
--- a/tools/skills_guard.py
+++ b/tools/skills_guard.py
@@ -43,7 +43,7 @@ INSTALL_POLICY = {
     "builtin":       ("allow",  "allow",   "allow"),
     "trusted":       ("allow",  "allow",   "block"),
     "community":     ("allow",  "block",   "block"),
-    "agent-created": ("allow",  "block",   "block"),
+    "agent-created": ("allow",  "allow",   "block"),
 }
 
 VERDICT_INDEX = {"safe": 0, "caution": 1, "dangerous": 2}