一键导入
offensive-macos-watch-static-analysis
Use when turning target intake, dossier facts, and first-pass static sweeps into decision support for a macOS reversing pass.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use when turning target intake, dossier facts, and first-pass static sweeps into decision support for a macOS reversing pass.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
| name | offensive-macos-watch-static-analysis |
| description | Use when turning target intake, dossier facts, and first-pass static sweeps into decision support for a macOS reversing pass. |
| folder | offensive-macos-watch-static-analysis |
| source | skillz-wave4 |
| trigger_phrases | ["watch","static decision support","recommend the first sweep","what should we analyze next"] |
Channel boundary:
REPO_MODE=analysis. Triage, root-cause analysis, defensive mapping, and reporting only. Watch recommends next evidence; it does not claim proof.
CORPUS.md, the target map, and the dossier under findings/analysis/.docs/playbooks/investigation-recipes.md.CORPUS.md, SCRIPTORIUM.md, CHRONICLE.md, and HANDOFF.md when the decision changes project state.## Watch Recommendation
- Target ID:
- Pass ID:
- Dossier:
- Observed surfaces:
- Recommended recipe:
- First artifact to produce:
- Coverage gaps:
- Stop condition:
scripts/start-target.pytemplates/findings-repo/CORPUS.mddocs/playbooks/investigation-recipes.mdSkills/offensive-macos-bundle-intake/SKILL.mdUse when choosing or adding macOS research machines: primary, crash-test, cross-platform Apple Silicon, and Intel baseline. Fires on "add a lab machine", "which machine should run this", "primary lab host", "crash-test", "Intel baseline", and "cross-platform verification".
Use when driving Ghidra headless from Cursor for macOS reverse engineering: opening Mach-O binaries, listing functions, decompiling by address, running custom Ghidra scripts, or doing breadth sweeps across many targets. Fires on "ghidra-mcp", "decompile with Ghidra", "run a Ghidra script", "list functions in this binary", and systemic-class scan setup.
Use when starting a macOS reversing pass from an app bundle, installer, framework, XPC bundle, helper, or bare binary path. Fires on "start target", "inventory this app", "point at this bundle", "begin PASS", and "target intake".
Use when mapping a macOS target's attack surfaces to reusable vulnerability classes, generating hunt hypotheses for a new third-party app, or deciding which playbook or scanner applies. Fires on "vulnerability ontology", "bug-class map", "what bug classes apply", "generate hypotheses", and "classify this macOS surface".
Use when a macOS target appears to be Electron-based and needs ASAR, package, preload, IPC, native module, fuse, sandbox, or update review.
Use when a question touches the lab topology: what runs on the workstation, what runs on the primary lab host, how `ghidra-mcp` and `macre-vm-mcp` are wired, how to start a findings repo, which machine role to use, why Hopper is manual-only, or how to troubleshoot MCP/SSH/script sync failures.