fix(skill) harden xurl SKILL.md against secret leakage

[xmm]

Summary

This PR hardens the xurl skill documentation to reduce the risk of credential leakage in agent/LLM workflows.

What changed

• Updated /Users/xmm/workspace/opensource/xurl/SKILL.md with a mandatory Secret Safety section.
• Added explicit rules to:
  • never read, print, parse, or send ~/.xurl to LLM context
  • never ask users to paste credentials/tokens into chat
  • require users to manage secrets manually on their own machine
  • avoid running auth commands with inline secrets in agent sessions
  • forbid --verbose / -v in agent sessions (can expose auth headers/tokens)
• Removed examples that included secret-bearing CLI options (--client-id, --client-secret, --consumer-key, --consumer-secret, --access-token, --token-secret, --bearer-token).
• Kept xurl auth status as the safe way to check whether an app with credentials is already registered.
• Added a prerequisite note that this skill requires the xurl CLI utility: https://github.com/xdevplatform/xurl.

Why

Agent prompts, command output, and logs can unintentionally expose credentials. These changes make secret-handling boundaries explicit and safer by default.

Impact

Documentation-only change. No code or runtime behavior changes.

[CLAassistant]

All committers have signed the CLA.

[santiagomed]

Much needed. Thank you!