feat: Add skill filtering with allowed/excluded lists

[pomelo-nwu]

What would you like to be added?

Add configuration options to control which skills can be activated during a session:

• allowedSkills: Whitelist of skill names that can be invoked
• excludedSkills: Blacklist of skill names that should be disabled

These could be configured at both project level (.qwen/settings.json) and user level (~/.qwen/settings.json).

Example configuration:

{
  "skills": {
    "allowed": ["pdf", "xlsx", "docx"],
    "excluded": ["internal-tool"]
  }
}

Why is this needed?

1. Security/Compliance: Teams may want to restrict which skills are available in certain projects to prevent unintended data access or operations.

2. Noise Reduction: Users with many skills installed may want to limit the active skill set for specific workflows, improving model accuracy in skill selection.

3. Environment Control: Different environments (dev/staging/prod) may require different skill sets.

4. Team Governance: Project maintainers can enforce which skills are approved for use within their codebase.

Additional context

Currently, all discovered skills (project, user, and extension level) are available for model invocation. There's no mechanism to filter or restrict this list at runtime.

The existing allowedTools field in SkillConfig is for declaring which tools a skill can use, not for controlling skill availability.

[kilowu]

+1.

Maybe we should add a setting that allow users to configure skills loading directory ?

We need this feature so that we can overwrite the project level skills (team used) by oneself's experimental skills set (for new workflow exploration).

[pomelo-nwu]

related：#2283