chore(ui): add npm security audit skill

[Alan-TheGentleman]

Context

Follow-up from an internal npm supply-chain audit against https://github.com/lirantal/npm-security-best-practices. The goal is to keep the audit guidance reusable as a project skill and reduce local package-install side effects.

Description

• Add prowler-npm-security-audit as a project skill under skills/ and register it in root/UI agent guidance.
• Document that Prowler should not enable general UI dependency-update automation in Dependabot/Renovate; only security remediation should be considered.
• Stop worktree startup from auto-running cd ui && pnpm install; it now prints the explicit install command instead.
• Make UI git hook setup opt-in from postinstall, while preserving an explicit pnpm run setup:hooks command.
• Update UI README hook setup instructions for both ui/ and monorepo-root contexts.

Steps to review

1. Inspect skills/prowler-npm-security-audit/SKILL.md and confirm the audit scope/checklist matches the repo supply-chain policy.
2. Inspect AGENTS.md and ui/AGENTS.md and confirm the skill is registered and auto-invoked for npm/pnpm package security work.
3. Inspect .config/wt.toml and confirm worktree startup no longer runs UI package lifecycle scripts automatically.
4. Inspect ui/scripts/postinstall.js and confirm git hooks are only installed when PROWLER_UI_SETUP_GIT_HOOKS=1 is set.
5. Inspect ui/README.md and confirm manual hook setup commands are accurate from both ui/ and the monorepo root.
6. Confirm no general UI Dependabot/Renovate dependency update automation is enabled by this PR.

Validation

• ./skills/skill-sync/assets/sync.sh
• node --check ui/scripts/postinstall.js
• node --check ui/scripts/setup-git-hooks.js
• git diff --check origin/master..HEAD
• Commit hooks: UI Prettier, YAML checks, zizmor, TruffleHog
• Judgment Day dual review: approved after README command-location fixes

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Are there new checks included in this PR? No
• Review if the code is being covered by tests.
• Review if code is being documented following https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

UI (if applicable)

• All issue/task requirements work as expected on the UI
• Ensure new entries are added to ui/CHANGELOG.md

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

🔒 Container Security Scan

Image: prowler-ui:3d435fa
Last scan: 2026-05-22 12:10:05 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	2
Total	2

2 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy