fix(skills-guard): allow agent-created dangerous verdicts without confirmation

The security scanner is meant to protect against hostile external skills
pulled from GitHub via hermes skills install — trusted/community policies
block or ask on dangerous verdicts accordingly. But agent-created skills
(from skill_manage) run in the same process as the agent that wrote them.
The agent can already execute the same code paths via terminal() with no
gate, so the ask-on-dangerous policy adds friction without meaningful
security.

Concrete trigger: an agent writing a PR-review skill that describes
cache-busting or persistence semantics in prose gets blocked because
those words appear in the patterns list. The skill isn't actually doing
anything dangerous — it's just documenting what reviewers should watch
for in other PRs.

Change: agent-created dangerous verdict maps to 'allow' instead of 'ask'.
External hub installs (trusted/community) keep their stricter policies
intact. Tests updated: renamed test_dangerous_agent_created_asks →
test_dangerous_agent_created_allowed; renamed force-override test and
updated assertion since force is now a no-op for agent-created (the allow
branch returns first).

tools/skills_guard.py

@@ -43,7 +43,11 @@ INSTALL_POLICY = {
     "builtin":       ("allow",  "allow",   "allow"),
     "trusted":       ("allow",  "allow",   "block"),
     "community":     ("allow",  "block",   "block"),
-    "agent-created": ("allow",  "allow",   "ask"),
+    # Agent-created skills run in the same process as the agent that
+    # wrote them — the agent could already execute the same code via
+    # terminal(), so a dangerous-pattern gate on skill_manage adds
+    # friction without meaningful security. Allow all verdicts.
+    "agent-created": ("allow",  "allow",   "allow"),
 }
 
 VERDICT_INDEX = {"safe": 0, "caution": 1, "dangerous": 2}