feat(skill): add desktop auto-update security

[452740336]

What This PR Does

Adds a new desktop-auto-update-security DevSecOps/AppSec skill for issue #297.

The skill covers:

• insecure desktop update feed transport
• missing or weak payload signature verification
• downgrade acceptance and rollback policy review
• stable/beta/nightly channel separation
• release-signing credential exposure
• installer privilege and auto-install risk
• vulnerable and benign fixtures for Electron updater code and update packaging config
• a lightweight verification script for the skill assets
• index.yaml registration and role mappings

This contribution was prepared with Codex assistance and reviewed locally against the repository's validation expectations.

Framework References

• Electron autoUpdater API and platform notices
• SLSA release integrity concepts
• CWE-345: Insufficient Verification of Data Authenticity
• CWE-353: Missing Support for Integrity Check
• CWE-494: Download of Code Without Integrity Check

Testing

Validated locally with:

[github-actions]

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).