> how are you handling the trust boundary for self-created skills?

At least in the Claude model, there's nothing a skill can do that the model couldn't already do? Isn't it still the same tool calls underneath, with the same permissions?

Think of skills as plugins providing AGENTS.md snippets and a subdirectory of executables, as if those were part of the workspace to begin with.