exploit-chainlisted

# Exploit Chain Composer > **Scope-only**: chains are written at pattern level, not as ready-to-run exploit sequences against specific production versions. PoC execution belongs in a lab or in a customer-provided sandbox, with explicit RoE sign-off per step. A smoothly working chain has great demo value and equally real damage potential if played outside scope. ## When to use Many pentest reports are lists of unrelated mediums. The value often sits in the chain: bug A on its own is medium, chained with B it becomes a blocker. This skill helps make those paths explicit. Triggers on: - A question like "can we chain these three findings", "what is the worst path through this system", "is open-redirect plus OAuth account takeover", "how do I score a chain in CVSS". - A reporting phase where individual findings have already been triaged via `web-exploit-triage` and you want to see which are combinable. - Bug-bounty submissions that are only relevant as a chain (a stand-alone self-XSS has no value, but self-XSS + open redirect + OAuth flow has potential ATO). - Red-team engagement where chain-thinking is the entire methodology. - A defensive exercise: showing a dev team why their "only low findings" still adds up to critical. ### When NOT (handoff) - Per-finding class triage → `web-exploit-triage`. This skill leans on that output, it does not repeat it. - Concrete payload construction within a single class → `payload-crafter`. - Post-exploitation activity after the first foo