security-audit

Hostile, fail-closed auditing of skills/repos before enabling: secrets, static analysis, prompt-injection signals, persistence checks, and dependency hygiene.