feat(skill): add serverless function security

[452740336]

What This PR Does

Adds a new serverless-function-security Cloud/AppSec skill for issue #291.

The skill covers:

• public invocation review for Lambda Function URLs and API-style serverless routes
• oversized IAM execution roles and unscoped invoke permissions
• secret sprawl in infrastructure configuration
• event-source confusion and handler-side schema/source validation
• unsafe /tmp usage, dependency provenance, retries, DLQ, concurrency, and idempotency review prompts
• vulnerable and benign fixtures for CloudFormation/SAM-style YAML, Terraform, and JavaScript handlers
• a lightweight verification script for the skill assets
• index.yaml registration and role mappings

This contribution was prepared with Codex assistance and reviewed locally against the repository's validation expectations.

Framework References

• OWASP Serverless Top 10
• AWS Lambda Security and shared responsibility guidance
• AWS Lambda resource-based permissions and source ARN scoping
• AWS Lambda environment variable handling
• CWE-250: Execution with Unnecessary Privileges
• CWE-732: Incorrect Permission Assignment for Critical Resource
• CWE-798: Use of Hard-coded Credentials

Testing

Validated locally with:

[github-actions]

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).