feat: allow runner to use Skill and Agent tools

[mcljot]

I have ~30 skills as part of a pipeline, and none of them get invoked using the 'Skill' tool. Instead, the runner agent reads and interprets the skill.md markdown. It's a pretty long pipeline and the context gets to be huge if the session does that. I have been unable to override the platform config with settings.json or other mechanisms and I believe it's a platform change that's needed.

This PR adds Skill and Agent to the default allowed tools list so the runner can invoke skills and dispatch agents directly without needing to read and interpret them manually.

It may have been a deliberate design choice to exclude these, if so I'd like to understand more. Thanks! :)

[coderabbitai]

📝 Walkthrough

Walkthrough

Extended the allowed tools list in the MCP bridge by adding "Skill" and "Agent" to DEFAULT_ALLOWED_TOOLS. These tools are now permitted alongside existing defaults in the Claude MCP configuration.

Changes

Cohort / File(s)	Summary
Claude MCP Allowed Tools components/runners/ambient-runner/ambient_runner/bridges/claude/mcp.py	Added "Skill" and "Agent" to DEFAULT_ALLOWED_TOOLS constant, expanding the base set of permitted tools (+2 entries).

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commits format with 'feat' type and clearly describes the main change: enabling Skill and Agent tool invocation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Performance And Algorithmic Complexity	✅ Passed	PR adds two string constants to static list with O(n+m) linear complexity; no algorithmic changes, expensive operations, or performance impact.
Security And Secret Handling	✅ Passed	Adding 'Skill' and 'Agent' to DEFAULT_ALLOWED_TOOLS in mcp.py introduces no secrets, sensitive data logging, injection vulnerabilities, or auth/K8s resource issues.
Kubernetes Resource Safety	✅ Passed	Kubernetes Resource Safety check not applicable; PR modifies only Python source file with no Kubernetes manifests or infrastructure concerns.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@components/runners/ambient-runner/ambient_runner/bridges/claude/mcp.py`:
- Around line 31-32: Remove "Skill" and "Agent" from the default allowlist and
instead only add them when an explicit trust/feature check passes: update the
list in mcp.py to exclude these capabilities by default, and in the code path
that constructs/passes the capabilities to the Claude options (the function that
assembles Claude options / prepares bridge options in the Claude bridge)
conditionally append "Skill" and "Agent" only if the caller/context satisfies a
clear predicate (e.g., caller.is_trusted() or has_feature("allow_skill_invoke")
) — ensure the predicate check is applied exactly where the list is forwarded
into the Claude options so the bridge never forwards "Skill" or "Agent" unless
the explicit trust/feature check succeeds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7b08ea70-966f-497a-9dc2-a4085c828d4e

📥 Commits

Reviewing files that changed from the base of the PR and between 4b12c81 and f186214.

📒 Files selected for processing (1)

• components/runners/ambient-runner/ambient_runner/bridges/claude/mcp.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Gate Skill and Agent behind an explicit trust/feature check instead of default allow.

Adding these to the default allowlist grants agent-dispatch and skill-invocation power to every run path, and this list is passed straight through to Claude options without downstream filtering (components/runners/ambient-runner/ambient_runner/bridges/claude/bridge.py Line 551-566, 574-583, 603-612). That expands blast radius for prompt-injection and violates least-privilege defaults.

As per coding guidelines, "Flag only errors, security risks, or functionality-breaking problems."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/runners/ambient-runner/ambient_runner/bridges/claude/mcp.py`
around lines 31 - 32, Remove "Skill" and "Agent" from the default allowlist and
instead only add them when an explicit trust/feature check passes: update the
list in mcp.py to exclude these capabilities by default, and in the code path
that constructs/passes the capabilities to the Claude options (the function that
assembles Claude options / prepares bridge options in the Claude bridge)
conditionally append "Skill" and "Agent" only if the caller/context satisfies a
clear predicate (e.g., caller.is_trusted() or has_feature("allow_skill_invoke")
) — ensure the predicate check is applied exactly where the list is forwarded
into the Claude options so the bridge never forwards "Skill" or "Agent" unless
the explicit trust/feature check succeeds.

[mcljot]

1. Skill and Agent are core Claude Code tools, equivalent in trust level to the already-allowed Read, Write, Bash, Glob, Grep, Edit,
   MultiEdit, and WebSearch
2. No core tool in the allowlist is gated behind a feature flag — adding one for these two would be inconsistent
3. Bash (already unconditionally allowed) is strictly more powerful than either Skill or Agent
4. The runner environment is already trust-bounded (containerized pod, user-scoped credentials)

[jwm4]

Confirmed: this is the correct fix.

We independently investigated this issue and identified the same root cause — "Skill" is absent from DEFAULT_ALLOWED_TOOLS, so the SDK's explicit allowed_tools parameter blocks the Skill tool even though skills are properly discovered via setting_sources=["project"]. This forces Claude to fall back to reading .claude/commands/*.md files directly, which loads them as general context rather than authoritative skill instructions, and bloats the context window (especially painful with ~30 skills in a pipeline).

Adding "Agent" is also a sensible default for agentic sessions — it enables subagent dispatch for parallel work.

The fix is minimal and correct. 👍

---

This review was performed by Claude Code under the supervision of Bill Murdock.

[jeremyeder]

Closing — this change has been incorporated into PR #1091 (feat/combined-runner-upgrade) and will land with that PR.