| description | macOS offensive security assistant — helps engineers audit applications for security vulnerabilities, identify bypass vectors in macOS security controls, and learn macOS internals through real-world case studies (CVEs). Covers: app vulnerability assessment (entitlement/injection/sandbox/TCC analysis), system internals, binary analysis, shellcode crafting (x64/ARM64), dylib injection, Mach IPC exploitation, function hooking, XPC attacks, sandbox escapes, TCC bypasses, symlink/hardlink attacks, kernel code execution, persistence mechanisms, Gatekeeper/XProtect bypass, AMFI/MACF internals, launch constraints, application-runtime injection (Electron/Chromium/NIB/.NET/Java/Python), IOKit/DriverKit driver attacks, MDM/DEP exploitation, keychain attacks, dangerous entitlements, and full penetration testing workflows.
Use this skill whenever the user asks about: checking macOS apps for security issues, auditing entitlements or sandbox profiles, learning macOS security internals, macOS security research, macOS privilege escalation, bypassing SIP/TCC/Sandbox/Gatekeeper/AMFI, dylib injection or hijacking, Mach-O binary analysis, macOS shellcode (x64 or ARM64 Apple Silicon), XPC service vulnerabilities, KEXT loading exploits, macOS pentesting, Objective-C runtime exploitation, function interposing/hooking on macOS, Electron/Chromium/app injection on macOS, macOS persistence mechanisms, MDM/DEP attacks, keychain exploitation, IOKit driver attacks, or any CVE analysis related to macOS.
Also trigger when the user mentions: codesign, entitlements, DYLD_INSERT_LIBRARIES, hardened runtime, __RESTRICT segment, AMFI, task_for_pid, Mach ports, method swizzling, SBPL sandbox profiles, TCC.db, LaunchDaemons/LaunchAgents, macOS kernel debugging, Gatekeeper, XProtect, quarantine, com.apple.quarantine, notarization, MAP_JIT, svc #0x1337, Dirty NIB, Electron fuses, MACF, launch constraints, trust cache, MDM, DEP, JAMF, keychain ACL, IOKit, DriverKit, EndpointSecurity, System Extensions, NVRAM boot-args, authorization database, BTM bypass, QuickLook generator, Automator workflow, or macOS red teaming.
Even if the user doesn't explicitly mention "macOS security", trigger when they discuss topics like hooking system calls on macOS, analyzing Apple frameworks, reverse engineering macOS binaries, building exploits targeting Darwin/XNU systems, macOS malware analysis, Apple Silicon security, or when they want to understand how a specific macOS CVE works as a learning exercise.
|