diff --git a/install.sh b/install.sh
index 4680120..b85e67a 100755
--- a/install.sh
+++ b/install.sh
@@ -147,6 +147,33 @@ else
   echo "  WARN: F2 hermes/yq missing — skipping denylist"
 fi
 
+# F2b — enable builtin allowlist via additive external_dirs
+# Hermes 0.14 uses additive external_dirs model (not pure denylist) — to enable
+# a builtin skill, add its hermes-agent/skills/<category>/<skill> path here.
+HERMES_AGENT_SKILLS="$HERMES_WORKSPACE/hermes-agent/skills"
+if [ "$DRY" = 1 ]; then
+  echo "DRY: F2b enable builtin allowlist via additive external_dirs → $PROFILE_CFG"
+elif command -v yq >/dev/null 2>&1; then
+  BUILTIN_PATHS=$(yq -r '.disclosure.skills[]? | select(.source=="builtin") | .path' "$REPO/manifest.yaml" 2>/dev/null || true)
+  BUILTIN_ENABLED=0
+  for p in $BUILTIN_PATHS; do
+    full="$HERMES_AGENT_SKILLS/$p"
+    if [ -d "$full" ]; then
+      if ! yq -r '.skills.external_dirs[]?' "$PROFILE_CFG" 2>/dev/null | grep -qF "$full"; then
+        mkdir -p "$(dirname "$PROFILE_CFG")"
+        full="$full" yq -i '.skills.external_dirs += [env(full)]' "$PROFILE_CFG" \
+          || echo "  WARN: F2b yq write to $PROFILE_CFG failed for $full"
+        BUILTIN_ENABLED=$((BUILTIN_ENABLED + 1))
+      fi
+    else
+      echo "  ⚠ F2b: builtin path missing — $full (skipped)" >&2
+    fi
+  done
+  [ "$BUILTIN_ENABLED" -gt 0 ] && echo "  F2b enabled $BUILTIN_ENABLED builtin allowlist path(s) in external_dirs"
+else
+  echo "  WARN: F2b yq not on PATH — skipping builtin allowlist"
+fi
+
 # F3 — propagate disclosure.inherit_mcp_toolsets to per-profile config.yaml
 if [ "$DRY" = 1 ]; then
   echo "DRY: F3 write agent.inherit_mcp_toolsets → $PROFILE_CFG"