fix: exclude hidden directories from find/grep search backends (#1558)

The primary injection vector in #1558 was search_files discovering
catalog cache files in .hub/index-cache/ via find or grep, which
don't skip hidden directories like ripgrep does by default.

Three-layer fix:

1. _search_files (find): add -not -path '*/.*' to exclude hidden
   directories, matching ripgrep's default behavior.

2. _search_with_grep: add --exclude-dir='.*' to skip hidden
   directories in the grep fallback path.

3. _write_index_cache: write a .ignore file to .hub/ so ripgrep
   also skips it even when invoked with --hidden (belt-and-suspenders).

This makes all three search backends (rg, grep, find) consistently
exclude hidden directories, preventing the agent from discovering
and reading unvetted community content in hub cache files.

tools/skills_hub.py

@@ -2063,6 +2063,15 @@ def _read_index_cache(key: str) -> Optional[Any]:
 def _write_index_cache(key: str, data: Any) -> None:
     """Write data to cache."""
     INDEX_CACHE_DIR.mkdir(parents=True, exist_ok=True)
+    # Ensure .ignore exists so ripgrep (and tools respecting .ignore) skip
+    # this directory.  Cache files contain unvetted community content that
+    # could include adversarial text (prompt injection via catalog entries).
+    ignore_file = HUB_DIR / ".ignore"
+    if not ignore_file.exists():
+        try:
+            ignore_file.write_text("# Exclude hub internals from search tools\n*\n")
+        except OSError:
+            pass
     cache_file = INDEX_CACHE_DIR / f"{key}.json"
     try:
         cache_file.write_text(json.dumps(data, ensure_ascii=False, default=str))