[CLI-008] Implement skills install through Hub client

[AdeGneus]

Context

Operators need a safe install path for community skills. Installation must verify Hub signatures before extraction and never execute hooks during install.

Scope

• Add ori skills install.
• Use SDK Hub client.
• Verify signature before extraction.
• Install into configured community skills directory.

Non-Goals

• Does not execute installed skill hooks.
• Does not bypass Hub signature verification.

Technical Specification

Command calls SDK Hub client install, reports status, and refuses invalid or pending review skills.

Acceptance Criteria

• Invalid signatures are refused.
• Path traversal tarballs are rejected.
• Installed skill path is correct.
• go test ./... passes.

Tests Required

Test	Verifies
TestSkillsInstallUsesHubClient	SDK client called.
TestSkillsInstallRejectsInvalidSignature	Signature gate.
TestSkillsInstallRejectsTraversal	Extraction safety.

Additional Test Coverage / Edge Cases

• Install must reject invalid Hub signature before extraction.
• Install must reject pending_review or unlisted skills.
• Tarball path traversal and symlink escape attempts must be rejected.
• Failed install must leave no partial skill directory.
• Installed hooks must not be imported/executed by the CLI.
• Existing skill version conflict behavior must be explicit and tested.

Invariants — Do Not Violate

• Community skill install verifies before extraction.
• CLI must not execute skill hooks.

Dependencies

Blocked by:

• [SDK-003] Add Hub API client ori-sdk-python#5 — SDK-003 Add Hub API client
• [HUB-008] Add list, detail, and download endpoints ori-skills-hub#10 — HUB-008 Add list, detail, and download endpoints

Unblocks:

• Nothing

Contract References

• SDK Hub client
• ori-specs/signing/v1.md

Priority

post-poc

Suggested Labels

blocked, post-poc, security-sensitive