fix(allium-x402): use HTTPS for CLI install command

[sricursion]

Summary

Changes the Allium CLI install command in skills/allium-x402/SKILL.md from http:// to https:// (two locations: the install: frontmatter field on line 8 and the CLI table on line 21).

Why

The skill instructed agents to install the Allium CLI by piping cleartext HTTP to sh:

curl -sSL http://agents.allium.so/cli/install.sh | sh

A network adversary on the path (public WiFi, evil-twin AP, compromised home router, malicious DNS resolver, BGP hijack) can answer the cleartext request with an arbitrary shell payload. sh runs that payload as the user — and that user owns:

• ~/.config/moonpay/wallets.json (AES-256-GCM-encrypted private keys for SOL/ETH/BTC/TRX)
• The OS-keychain entry moonpay-cli / encryption-key (same-UID access, no extra prompt)
• ~/.config/moonpay/credentials.json (encrypted MoonPay session)

End-to-end: a single agent task that loads this skill on a hostile network = wallet drain.

The same host already serves over HTTPS — the same file uses https://agents.allium.so/... three lines below for the skill-fetch URLs. So this is a one-character oversight on the most security-sensitive line of the skill, not a server limitation.

Anything reviewers should know

• This deviates from the new-skill PR template because it's a security fix, not a new skill. No template fields apply.
• A stronger fix would publish a signed install script (GPG/minisign) and have the skill verify before piping to sh. The scheme upgrade alone closes the network-attacker MITM path; signing is a follow-up worth considering.
• I checked the rest of the repo: skills/moonpay-fund-polymarket/SKILL.md:38 already uses HTTPS (raw.githubusercontent.com). No other unencrypted code-loading channels found.

Diff

 install: >-
-  curl -sSL http://agents.allium.so/cli/install.sh | sh
+  curl -sSL https://agents.allium.so/cli/install.sh | sh

-| **CLI**        | `allium` (installed via `curl -sSL http://agents.allium.so/cli/install.sh \| sh`) |
+| **CLI**        | `allium` (installed via `curl -sSL https://agents.allium.so/cli/install.sh \| sh`) |

Test plan

• Confirm https://agents.allium.so/cli/install.sh resolves and serves the same install script (it does — verified during prep).
• Confirm no other http:// URLs in skills/**/SKILL.md (verified — only DOCTYPE references, which are URIs, not fetched).

[Copilot]

Pull request overview

This PR hardens the Allium x402 skill by switching its documented CLI installer from HTTP to HTTPS, which fits the codebase’s goal of providing safe, actionable agent instructions for third-party tools.

Changes:

• Updates the install frontmatter command to use https://agents.allium.so/....
• Updates the CLI summary table to show the same HTTPS install command.
• Keeps the rest of the skill behavior and fetch flow unchanged.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sricursion]

@wannabehero @vinceferro

When you have a moment, could you please review this PR? It switches the Allium CLI install command from HTTP to HTTPS to close a MITM risk on the installer path. Thank you.