원클릭으로
offensive-macos-scriptorium-evidence
Use when linking claims, artifacts, decisions, and handoff state across a macOS reversing project.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Use when linking claims, artifacts, decisions, and handoff state across a macOS reversing project.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Use when choosing or adding macOS research machines: primary, crash-test, cross-platform Apple Silicon, and Intel baseline. Fires on "add a lab machine", "which machine should run this", "primary lab host", "crash-test", "Intel baseline", and "cross-platform verification".
Use when driving Ghidra headless from Cursor for macOS reverse engineering: opening Mach-O binaries, listing functions, decompiling by address, running custom Ghidra scripts, or doing breadth sweeps across many targets. Fires on "ghidra-mcp", "decompile with Ghidra", "run a Ghidra script", "list functions in this binary", and systemic-class scan setup.
Use when starting a macOS reversing pass from an app bundle, installer, framework, XPC bundle, helper, or bare binary path. Fires on "start target", "inventory this app", "point at this bundle", "begin PASS", and "target intake".
Use when mapping a macOS target's attack surfaces to reusable vulnerability classes, generating hunt hypotheses for a new third-party app, or deciding which playbook or scanner applies. Fires on "vulnerability ontology", "bug-class map", "what bug classes apply", "generate hypotheses", and "classify this macOS surface".
Use when a macOS target appears to be Electron-based and needs ASAR, package, preload, IPC, native module, fuse, sandbox, or update review.
Use when a question touches the lab topology: what runs on the workstation, what runs on the primary lab host, how `ghidra-mcp` and `macre-vm-mcp` are wired, how to start a findings repo, which machine role to use, why Hopper is manual-only, or how to troubleshoot MCP/SSH/script sync failures.
| name | offensive-macos-scriptorium-evidence |
| description | Use when linking claims, artifacts, decisions, and handoff state across a macOS reversing project. |
| folder | offensive-macos-scriptorium-evidence |
| source | skillz-wave4 |
| trigger_phrases | ["scriptorium","evidence graph","flight recorder","why do we believe"] |
Channel boundary:
REPO_MODE=analysis. The Scriptorium preserves evidence and decisions. It does not store target binaries, PoCs, or sensitive artifacts in the station template.
CORPUS.md.scripts/triage.py create; transition with scripts/triage.py transition C-NNN <status>. Every transition records history + evidence + timestamp automatically.SCRIPTORIUM.md with the claim, evidence path, candidate id, and the binary's sha256 (hash-pin every claim).CHRONICLE.md when the investigation direction changes.scripts/triage.py render so INDEX.md reflects current state. INDEX.md is generated; never hand-edit.METRICS.md counts on close / escalate / report transitions.HANDOFF.md so the next session can resume from the latest evidence path.Every dynamic transcript and decompilation citation should include the sha256 of the Mach-O slice that produced it. This protects against silent target updates: if the slice changes, evidence written against the old slice no longer counts.
shasum -a 256 targets/<target>
# or, on the lab host where the binary actually ran
ssh <lab-host> shasum -a 256 /Users/<remote-user>/Targets/<target>
Pass via scripts/triage.py transition C-NNN <status> --binary-sha256 <hex>.
scripts/triage.pytemplates/findings-repo/SCRIPTORIUM.mdtemplates/findings-repo/CHRONICLE.mdtemplates/findings-repo/INDEX.md (schema + state machine reference)Skills/offensive-macos-watch-static-analysis/SKILL.md