Review checklist should account for providers without signature verification

[leggetter]

Context

During testing of the CLI adapter system with Postmark webhooks, the automated review flagged a "critical" issue that wasn't actually a problem:

The documentation correctly states that Postmark does NOT use signature verification, which aligns with the official documentation. However, the review checklist's focus on signature verification is misleading for this provider.

Problem

The review prompt in scripts/skill-generator/prompts/review-skill.md focuses heavily on signature verification as a critical check. For providers like Postmark that use URL-based authentication (token in query param or basic auth) instead of signature verification, this creates misleading review feedback.

Suggested Fix

Update the review checklist to:

1. Recognize that some providers don't use signature verification
2. Check that the skill correctly documents the provider's actual authentication method
3. Only flag missing signature verification as critical if the provider actually uses it

Providers Without Signature Verification

• Postmark - Uses URL-based token authentication or basic auth
• (Others may exist)

Related

• PR feat: add postmark-webhooks skill #24 - Postmark webhooks skill (generated during CLI adapter testing)