security-researchlisted

# Security Research - Team Mode Vulnerability Audit Use this skill to run a parallel security audit that separates real exploitability from generic concern. The team has 3 vulnerability hunters and 2 PoC engineers. ## Hard Preconditions Before starting, verify: 1. `team_*` tools are available. If not, stop and tell the user: `security-research requires team-mode. Set team_mode.enabled: true in your oh-my-openagent config, restart opencode, then retry.` 2. You are in the main session, not a background subagent. 3. You have a concrete target: repository, diff range, PR, release candidate, path list, or threat surface. If the user provided no target, audit the current repository and current branch diff against its upstream or merge base. If there is no diff, audit the security-sensitive surfaces in the working tree. ## Severity Standard Use these references as the scoring frame: - CWE for root-cause weakness classification: https://cwe.mitre.org/ - OWASP WSTG for test methodology: https://devguide.owasp.org/en/06-verification/01-guides/01-wstg/ - OWASP ASVS for control verification: https://owasp.org/www-project-application-security-verification-standard/ - CVSS v4.0 for exploitability and impact scoring: https://www.first.org/cvss/v4.0/specification-document Rules: - No severity without an attack path. - No critical or high finding without concrete exploit preconditions and impact. - Keep CWE category separate from severity. - Prefer a small, reproducible PoC over