feat(skill): add path traversal review

[452740336]

What This PR Does

Adds a new path-traversal-review AppSec skill for issue #286.

The skill covers:

• JavaScript/TypeScript and Python path traversal review flows
• file-serving, file-read/write, object-key, and archive-extraction sinks
• separator-safe containment checks with path.relative and Path.relative_to
• vulnerable and benign fixtures for direct file reads and archive extraction
• a lightweight verification script for the skill assets
• index.yaml registration and role mappings

This contribution was prepared with Codex assistance and reviewed locally against the repository's validation expectations.

Framework References

• CWE-22: Improper Limitation of a Pathname to a Restricted Directory
• CWE-23: Relative Path Traversal
• CWE-36: Absolute Path Traversal
• OWASP path traversal guidance
• Node.js path.resolve, path.relative, and path.isAbsolute
• Python pathlib.Path.resolve and Path.relative_to

Testing

Validated locally with:

[github-actions]

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).