Fix a vm2 sandbox escape vulnerability given a Security Advisory ID (GHSA/CVE). Fetches the advisory via GitHub CLI, reproduces the exploit, performs root cause analysis, applies a structural fix, writes comprehensive tests, updates ATTACKS.md, and red-teams the result. Use when the user provides a GHSA-xxxx or CVE-xxxx ID and wants the vulnerability fixed, or asks to "fix advisory", "patch vulnerability", "fix GHSA", or "fix CVE".
Merge a confirmed vm2 vulnerability fix from its temporary private fork (ghsa-<short-id>) into local main, resolve every conflict, scrub external attribution, and re-run the full test surface before the release pass. Use after the reporter has confirmed the fix on the per-advisory branch and the user asks to "merge fix", "merge advisory", "integrate fix", "land GHSA", "merge the private fork", or otherwise wants to bring `fix/GHSA-<full-id>` into local main. Strictly the local integration step — NEVER pushes to origin and NEVER publishes.
Red team agent for vm2 sandbox escape testing. Systematically attempts to break out of the vm2 JavaScript sandbox by exploiting known and novel attack vectors. Use this skill whenever the user makes changes to vm2's sandbox code (bridge.js, setup-sandbox.js, setup-node-sandbox.js, vm.js, nodevm.js, transformer.js) and wants to verify the sandbox still holds. Also use when the user asks to "hack", "attack", "test security", "try to escape", "red team", or "pentest" the sandbox. Trigger on any request to find sandbox escapes or verify sandbox integrity.