ci: add automated skill review for SKILL.md pull requests

[popey]

Hullo! Thanks for merging the skill improvements earlier. This is a follow-up that adds a lightweight GitHub Action to automatically review any SKILL.md files when they're changed in a PR, using tessl skill review.

• Triggers only on PRs that touch **/SKILL.md
• Posts review results as a PR comment
• Minimal permissions: pull-requests: write and contents: read

This way you and your contributors get an instant quality signal on skill changes before manual review — no signup or tokens needed.

[willamhou]

Thanks for the contribution! However, we have some security concerns that need to be addressed before this can be considered for merge:

1. Unpinned action reference (@main)

tesslio/skill-review@main is pinned to a mutable branch. This means the action code can change at any time without our review. Per GitHub's security hardening guide, third-party actions should be pinned to a full commit SHA.

2. Unverified action source

tesslio/skill-review is not a GitHub Verified Creator and we haven't been able to audit the action's source. Before granting CI execution to a third-party action, we need to understand what it does and establish trust in the maintainer.

3. Overly broad permissions

The workflow grants pull-requests: write to an unaudited action. A compromised action with this permission could post arbitrary comments, manipulate review state, or exfiltrate the GITHUB_TOKEN.

4. No current use case

This repo doesn't currently have any SKILL.md files, so the workflow wouldn't serve a practical purpose at this time.

---

To move forward, we'd need at minimum:

• Pin the action to a full commit SHA
• Provide documentation or source audit of what the action does
• Justify the pull-requests: write permission scope
• Demonstrate a concrete use case for this repo

We appreciate the effort, but we're not comfortable merging this in its current form due to supply chain risk.