chore: Remove broad Bash(pwsh:*) permission from review-respond and review-rounds SKILLs

hanatyan128 · hanatyan128 · commit d0a54778769d · 2026-05-07T18:40:18.000+09:00
Build / format commands run inside review-helper Sub, not at the leader level. The wildcard pwsh permission allowed arbitrary 'pwsh -Command' execution from the leader, which is unnecessary and overly broad. The review-helper agent retains a narrow 'Bash(pwsh ./build.ps1:*)' for the project build script.
diff --git a/.claude/skills/review-respond/SKILL.md b/.claude/skills/review-respond/SKILL.md
@@ -1,7 +1,7 @@
 ---
 name: review-respond
 description: Triage, estimate, fix, self-review, and update the review document for review findings
-allowed-tools: Agent, Read, Write, Edit, Glob, Grep, Bash(grep:*), Bash(ls:*), Bash(find:*), Bash(mkdir:*), Bash(git log:*), Bash(git diff:*), Bash(git show:*), Bash(git add:*), Bash(git commit:*), Bash(git status:*), Bash(cmake:*), Bash(make:*), Bash(pwsh:*), Bash(clang-format:*), Bash(cmake-format:*), Bash(.claude/scripts/rm-tmp.sh:*), Bash(python .claude/scripts/render-review.py:*)
+allowed-tools: Agent, Read, Write, Edit, Glob, Grep, Bash(grep:*), Bash(ls:*), Bash(find:*), Bash(mkdir:*), Bash(git log:*), Bash(git diff:*), Bash(git show:*), Bash(git add:*), Bash(git commit:*), Bash(git status:*), Bash(cmake:*), Bash(make:*), Bash(clang-format:*), Bash(cmake-format:*), Bash(.claude/scripts/rm-tmp.sh:*), Bash(python .claude/scripts/render-review.py:*)
 ---
 
 # Review Respond
diff --git a/.claude/skills/review-rounds/SKILL.md b/.claude/skills/review-rounds/SKILL.md
@@ -1,7 +1,7 @@
 ---
 name: review-rounds
 description: Automatically iterate parallel review, respond, and resolve across multiple rounds until no actionable findings remain
-allowed-tools: Agent, Read, Write, Edit, Glob, Grep, Bash(grep:*), Bash(ls:*), Bash(find:*), Bash(git log:*), Bash(git diff:*), Bash(git show:*), Bash(git status:*), Bash(git branch:*), Bash(mkdir:*), Bash(cmake:*), Bash(make:*), Bash(pwsh:*), Bash(clang-format:*), Bash(cmake-format:*), Bash(.claude/scripts/rm-tmp.sh:*)
+allowed-tools: Agent, Read, Write, Edit, Glob, Grep, Bash(grep:*), Bash(ls:*), Bash(find:*), Bash(git log:*), Bash(git diff:*), Bash(git show:*), Bash(git status:*), Bash(git branch:*), Bash(mkdir:*), Bash(cmake:*), Bash(make:*), Bash(clang-format:*), Bash(cmake-format:*), Bash(.claude/scripts/rm-tmp.sh:*)
 ---
 
 # Automatic Review Round Execution
