feat(skill): add service desk approval bypass review

[go165]

/claim #2424

Summary

Adds service-desk-approval-bypass-review, a new identity/security review skill for service desk, helpdesk, and ticketing workflows that can grant account recovery, MFA reset, entitlement changes, customer impersonation, support sessions, device trust changes, or privileged operator actions.

The skill covers:

• actor binding and separation across requester, subject, approver, fulfiller, and automation identity
• approval scope binding, expiry, replay resistance, and immutable approval context
• state-transition, webhook retry, clone/reopen, and background-worker bypasses
• support impersonation and customer/tenant boundary controls
• account recovery, MFA reset, trusted-device, and session revocation checks
• ticket-to-downstream-log reconciliation and tamper-resistant audit evidence

Files

• skills/identity/service-desk-approval-bypass-review/SKILL.md
• skills/identity/service-desk-approval-bypass-review/tests/vulnerable/replayable-approval.yaml
• skills/identity/service-desk-approval-bypass-review/tests/benign/scoped-single-use-approval.yaml
• index.yaml
• roles/security-engineer/SKILL.md

Validation

• git diff --check
• frontmatter required-field check across skills and roles
• index path and skill_count check
• Markdown fence balance check
• prompt-injection pattern scan using the repository workflow patterns
• YAML parse for index.yaml and both fixture files

Bounty

Requested tier: Intermediate new skill bounty, if accepted by maintainers.

Preferred payout: USDC on Base to 0x1f0130669ca6fd02e025a984cc038f139df19a2f.

[github-actions]

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).