create-cowork-plugin: verify SKILL.md byte-equality after zip in Phase 5

[Corvanadasha]

Problem

Phase 5 packages the plugin with zip -r ... && cp and ships the archive straight to the user's outputs folder. There is no check that the files actually inside the .plugin archive match the source on disk. Silent mid-word truncation has been observed in practice (e.g. our content-research-writer regression in late April 2026, where a SKILL.md ended mid-sentence in the shipped archive). It is very hard to spot post-install because the truncation only shows up when the relevant section of the SKILL.md is exercised.

Change

Wraps the existing zip+cp into a set -e block and inserts an inline Python step between them that:

• opens the freshly-built archive with zipfile,
• iterates every entry whose name ends in SKILL.md,
• byte-compares the archive entry against the source file on disk,
• exits 1 (and halts the flow under set -e) on any mismatch or missing source file.

No external script dependency; pure stdlib. The check is fast (single-digit ms even for large plugins) and only runs once per build.

Why inline rather than a shipped script

Kept it inline so the plugin's installable footprint doesn't change and reviewers don't have to assess a new file. If you'd prefer a shipped scripts/verify-build.py, happy to factor it out.

Smoke tested

• Clean build of a single-skill plugin → verifier exits 0, cp runs.
• Source SKILL.md truncated by 10 bytes after the archive was built → verifier prints [FAIL] skills/test-skill/SKILL.md: archive 57B vs source 47B, exits 1, set -e halts the flow before cp.