Secure Skill Review for Open-Source Repository

Problem/Feature Description

An open-source project maintainer wants to add automated skill review to their public GitHub repository. The project accepts contributions from external developers via fork-based pull requests. Security is a top priority — the maintainer has read about supply chain attacks where malicious PRs exfiltrate secrets from CI pipelines.

The repository needs a skill review setup that:

• Reviews skills submitted by external contributors
• Posts review results as PR comments
• Never exposes API keys or tokens to code running from forked PRs
• Tracks score changes over time with a persistent cache

The project's default branch is main and uses the standard file layout.

Output Specification

Produce:

1. All necessary GitHub Actions workflow files (write each to a descriptively named .yml file).
2. A file called security-analysis.md explaining the security model — how secrets are protected from fork PRs, what runs in trusted vs untrusted contexts.
3. A file called setup-checklist.md listing all manual configuration steps needed after the files are created.