fix(repo): Harden catalog sync and release integrity

Tighten the repo-state automation so canonical bot commits remain
predictable while leaving main clean after each sync.

Make the public catalog UI more honest by hiding dev-only sync,
turning stars into explicit browser-local saves, aligning risk types,
and removing hardcoded catalog counts.

Add shared public asset URL helpers, risk suggestion plumbing,
safer unpack/sync guards, and CI coverage gates so release and
maintainer workflows catch drift earlier.

tools/scripts/tests/test_sync_microsoft_skills_security.py

@@ -95,6 +95,33 @@ class SyncMicrosoftSkillsSecurityTests(unittest.TestCase):
                 target.unlink()
                 outside.rmdir()
 
+    def test_find_plugin_skills_ignores_symlinked_skill_markdown(self):
+        with tempfile.TemporaryDirectory() as temp_dir:
+            root = Path(temp_dir)
+            github_plugins = root / ".github" / "plugins"
+            github_plugins.mkdir(parents=True)
+
+            safe_plugin = github_plugins / "safe-plugin"
+            safe_plugin.mkdir()
+            (safe_plugin / "SKILL.md").write_text("---\nname: safe-plugin\n---\n", encoding="utf-8")
+
+            linked_plugin = github_plugins / "linked-plugin"
+            linked_plugin.mkdir()
+
+            outside = Path(tempfile.mkdtemp())
+            try:
+                target = outside / "SKILL.md"
+                target.write_text("---\nname: escaped\n---\n", encoding="utf-8")
+                (linked_plugin / "SKILL.md").symlink_to(target)
+
+                entries = sms.find_plugin_skills(root, set())
+                relative_paths = {str(entry["relative_path"]) for entry in entries}
+
+                self.assertEqual(relative_paths, {"plugins/safe-plugin"})
+            finally:
+                target.unlink()
+                outside.rmdir()
+
 
 if __name__ == "__main__":
     unittest.main()