Comment by gbrindisi

I like the pattern of making a dedicated cli/harness and just build a skill to teach coding agents to use it.

At $work we built a thorough workflow to do security reviews, which is a pure skill to simplify adoption https://www.synthesia.io/post/automating-code-security-revie...

But the user experience is tricky because if we aim for very low false positives the run time for this kind of workflows is too long, it's then hard to justify blocking PRs.