The work_skin_allowed method is set up to be run in the validation context :save, but if I'm not mistaken, that validation context is never used anywhere. (Only :create and :update are used by default.) As a result, the function never runs, and a user can use another user's work skin if they know the ID and know how to use Inspect Element to change form values.
(The method does appear to be covered in codecov, but only because it's run manually in the work spec.)
Log in as User A.
Go to Dashboard > Skins > My Work Skins.
If you haven't already created a work skin, press "Create Work Skin" and fill in the fields. Try to use a skin that's very obvious when it's applied, like something that turns all paragraphs red.
Click "Edit" on one of your work skins, and copy the ID from the URL.
Log in as User B.
Go to Post > New Work and fill in all of the required fields.
Select a skin from the "Select Work Skin" menu.
Use Inspect Element on the skins dropdown to set the value associated with that skin to the ID of User A's skin.
Press "Preview" or "Post Without Preview."
Notice that User A's skin has been applied, even though you don't have permission to use it.