#23768: Skills: pin and verify workspace skill content hashes

## Summary - add deterministic skill-folder fingerprinting for workspace skills and persist a baseline lock at `.clawhub/openclaw-integrity.json` - quarantine workspace skills when content hash drifts from the pinned fingerprint - support explicit re-enable by setting `skills.entries.<skill>.config.integrityFingerprint` to the current fingerprint ## Testing - pnpm lint - pnpm vitest run --config vitest.unit.config.ts src/agents/skills.buildworkspaceskillsnapshot.test.ts src/agents/skills.test.ts <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds deterministic skill-folder fingerprinting for workspace skills with SHA-256 content hashing. Skills are pinned to `.clawhub/openclaw-integrity.json` on first load, and quarantined if their content changes unless explicitly re-approved via config. **Key changes:** - New `integrity.ts` module with `computeSkillFingerprint()` and `resolveWorkspaceSkillIntegrity()` functions - Workspace skills are automatically fingerprinted and tracked in a lock file - Skills with content drift are excluded from loading unless `skills.entries.<skill>.config.integrityFingerprint` matches the current fingerprint - Comprehensive test coverage for the quarantine and re-enable workflow - Clean integration with existing skill loading pipeline <h3>Confidence Score: 5/5</h3> - Safe to merge with no blockers - Clean implementation with proper error handling, comprehensive test coverage, and well-scoped changes that integrate cleanly into existing infrastructure - No files require special attention _{Last reviewed commit: ccf219c} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->