#10530: fix: tighten skill scanner false positives and add vm module detection

## Summary - Fix overly broad `\bpost\b` regex in exfiltration and env-harvesting context patterns — was matching the word "post" in comments and variable names, causing false positives. Now requires `method:"POST"`, `.post()`, or `http.request` patterns instead - Add `vm` module detection rule covering `vm.runInNewContext`, `vm.compileFunction`, `vm.Script`, and `vm.runInThisContext` — gated on `"node:vm"` or `"vm"` import context to avoid false positives - Add 10 new tests covering false positive regression, vm detection, and vm context gating ## Test plan - [x] Build passes - [x] All 29 scanner tests pass - [x] All 44 audit tests pass (73 total across both suites) - [x] Existing exfiltration test updated to use `method: "POST"` instead of bare "post" - [x] New test verifies bare "post" in comments does NOT trigger exfiltration rule <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> - Tightens exfiltration/env-harvesting context matching by replacing a broad `\bpost\b` check with more specific `method:"POST"`, `.post(...)`, `fetch`, or `http.request` patterns. - Adds a new line-based detection rule for Node’s `vm` module APIs (with import-string context gating) to flag dynamic code execution. - Updates/extends the test suite with regression coverage for the prior `post` false-positive and new vm detection/gating cases. <h3>Confidence Score: 4/5</h3> - Mostly safe to merge, but vm detection/deduping issues likely reduce intended scanner coverage. - Changes are localized to regex-based detection and tests; however, introducing a second line-rule with the same `ruleId` causes deterministic under-reporting in files that contain multiple dynamic-execution indicators, and the vm regex misses the common `new vm.Script(...)` form, so the PR doesn’t fully achieve its stated detection goals. - src/security/skill-scanner.ts <!-- greptile_other_comments_section --> <!-- /greptile_comment -->