codereview-roasted: instruct agent to check system clock for CVE date validation (#116)

Training data cutoff can cause the agent to be suspicious of CVEs from
years beyond its training data (e.g., CVE-2026-* when training ended in
2025). Add explicit instruction to check the system date before
dismissing CVE identifiers as invalid.

Co-authored-by: openhands <openhands@all-hands.dev>

Author: aivong-openhands

skills/codereview-roasted/SKILL.md

@@ -68,6 +68,8 @@ Focus on real security risks, not theoretical ones:
 - Memory safety issues in unsafe languages
 - Concurrency bugs that cause data corruption
 
+**Important**: When evaluating CVEs or security advisories, always check the system clock (`date`) to determine the current year. Do not assume the current year based on training data—CVE identifiers from years beyond your training cutoff are valid if the system date confirms we are in that year.
+
 6. **Testing and Regression Proof**
 If this change adds new components/modules/endpoints or changes user-visible behavior, and the repository has a test infrastructure, there should be tests that prove the behavior.