Fix allowed-tools to use spec-compliant space-delimited strings

[jonathanhefner]

Per the agentskills.io specification, allowed-tools must be a single string of space-delimited patterns, not a YAML list. Converted all 23 SKILL.md files from the - Item list format to the correct "Item1 Item2" string format. Also updated the frontmatter examples in CLAUDE.md and the workflow-skill-design skill template to match.

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[CLAassistant]

All committers have signed the CLA.

[dguido]

Automated Review — PR #139

Warning: Complex PR — flagged for human review (touches CLAUDE.md)

Spec Verification

Confirmed against agentskills.io/specification: the allowed-tools field is defined as "A space-delimited list of tools that are pre-approved to run" with example allowed-tools: Bash(git:*) Bash(jq:*) Read. The YAML array format used previously was non-compliant. This PR correctly converts to the spec format.

Review Findings

All 23 SKILL.md files and CLAUDE.md are correctly converted. Changes are mechanical and consistent — each YAML list is flattened to a single space-delimited string on the same line as allowed-tools:.

Minor issues / observations:

1. firebase-apk-scanner uses comma-delimited format (allowed-tools: Bash({baseDir}/scanner.sh:*), Bash(apktool:*), Bash(curl:*), Read, Grep, Glob). This was pre-existing and not touched by the PR. The spec example uses spaces without commas (Bash(git:*) Bash(jq:*) Read), so the commas may be non-compliant. Could be fixed in a follow-up.

2. workflow-skill-design reference files still show YAML list format in code examples within references/anti-patterns.md (lines 261-308). These are illustrative examples inside a reference doc (not actual frontmatter), so it's debatable whether they need updating. Updating them would prevent contributors from copying the old format.

3. Commands and agents still use YAML list format (e.g., burpsuite-project-parser/commands/burp-search.md, zeroize-audit/agents/*.md, spec-to-code-compliance/commands/spec-compliance.md, skill-improver/commands/*.md). These are Claude Code plugin components, not agentskills.io skills, so they may follow a different spec. If the allowed-tools semantics are shared, these should also be converted. Worth confirming with the author.

4. Template example in workflow-skill-design SKILL.md line 127 wraps the placeholder in quotes: allowed-tools: "[minimum tools needed, space-delimited]". The quotes are technically valid YAML but could mislead contributors into thinking values need quoting. Nit-level.

Validation

• validate_codex_skills.py: PASS (61 skills, 62 Codex entries)
• validate_plugin_metadata.py: PASS (36 plugins)

Recommendation

Approve with optional follow-up for items 1-3 above. The core change is correct and well-scoped.

Changes Made

None — review-only for complex PRs.

---

Reviewed by Claude Code