Address Snyk and Socket security audit findings in skill docs

## Context Two security audits flagged the codebase-to-course skill metadata and docs. ### Snyk findings - W007 (HIGH): risky credential handling from verbatim code-snippet guidance. - W011 (MEDIUM): third-party content exposure from arbitrary repo intake. - W012 (MEDIUM): unverifiable external dependency risk from runtime external clone flow. ### Socket finding - README.md flagged as Obfuscated File (HIGH), likely a false positive but still fails audit. ## Proposed fixes - Remove auto-clone guidance for external URLs; treat external repos as untrusted input. - Require trusted local checkout paths and never execute analyzed repo code. - Replace verbatim snippet policy with logic fidelity plus mandatory secret redaction. - Add explicit secret leakage prevention rules (.env, keys, tokens, passwords, dumps). - Normalize markdown punctuation and symbols to ASCII to reduce obfuscation false positives. - Add explicit Security note in README describing safe output behavior. ## Acceptance criteria - Snyk W007/W011/W012 addressed in SKILL.md and reflected in README.md. - README.md includes explicit security posture language. - Skill functionality remains the same except stronger security guardrails.