fix(skill): enforce agent restriction in createSkillTool (#1018)

* fix(skill): enforce agent restriction in createSkillTool

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

* fix(skill): block restricted skills when agent context missing

Addresses cubic review feedback: previously agent-restricted skills
could be invoked when ctx or ctx.agent was undefined because the
guard only ran when ctx?.agent was truthy.

Changed condition from:
  skill.definition.agent && ctx?.agent && skill.definition.agent !== ctx.agent
To:
  skill.definition.agent && (!ctx?.agent || skill.definition.agent !== ctx.agent)

This ensures restricted skills are blocked unless the exact matching
agent is present in the context.

---------

Co-authored-by: justsisyphus <justsisyphus@users.noreply.github.com>
Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

src/tools/skill/tools.ts

@@ -156,7 +156,7 @@ export function createSkillTool(options: SkillLoadOptions = {}): ToolDefinition
     args: {
       name: tool.schema.string().describe("The skill identifier from available_skills (e.g., 'code-review')"),
     },
-    async execute(args: SkillArgs) {
+    async execute(args: SkillArgs, ctx?: { agent?: string }) {
       const skills = await getSkills()
       const skill = skills.find(s => s.name === args.name)
 
@@ -165,6 +165,10 @@ export function createSkillTool(options: SkillLoadOptions = {}): ToolDefinition
         throw new Error(`Skill "${args.name}" not found. Available skills: ${available || "none"}`)
       }
 
+      if (skill.definition.agent && (!ctx?.agent || skill.definition.agent !== ctx.agent)) {
+        throw new Error(`Skill "${args.name}" is restricted to agent "${skill.definition.agent}"`)
+      }
+
       let body = await extractSkillBody(skill)
 
       if (args.name === "git-master") {