macos-control-bypasser

This skill should be used when a user asks to debug an interactive CLI, REPL, TUI, prompt loop, shell wizard, watch mode, long-running terminal process, or any command that hangs, waits for input, redraws incorrectly, needs multiple inputs, behaves differently in a real terminal, or requires comparing tmux panes. Trigger on phrases like “it hangs after Continue?”, “the prompt never appears,” “my curses UI breaks in a small terminal,” “the watcher only fails after I answer the prompt,” or “inspect pane 2.”

macOS offensive security assistant — helps engineers audit applications for security vulnerabilities, identify bypass vectors in macOS security controls, and learn macOS internals through real-world case studies (CVEs). Covers: app vulnerability assessment (entitlement/injection/sandbox/TCC analysis), system internals, binary analysis, shellcode crafting (x64/ARM64), dylib injection, Mach IPC exploitation, function hooking, XPC attacks, sandbox escapes, TCC bypasses, symlink/hardlink attacks, kernel code execution, persistence mechanisms, Gatekeeper/XProtect bypass, AMFI/MACF internals, launch constraints, application-runtime injection (Electron/Chromium/NIB/.NET/Java/Python), IOKit/DriverKit driver attacks, MDM/DEP exploitation, keychain attacks, dangerous entitlements, and full penetration testing workflows. Use this skill whenever the user asks about: checking macOS apps for security issues, auditing entitlements or sandbox profiles, learning macOS security internals, macOS security research, macOS privilege escalation, bypassing SIP/TCC/Sandbox/Gatekeeper/AMFI, dylib injection or hijacking, Mach-O binary analysis, macOS shellcode (x64 or ARM64 Apple Silicon), XPC service vulnerabilities, KEXT loading exploits, macOS pentesting, Objective-C runtime exploitation, function interposing/hooking on macOS, Electron/Chromium/app injection on macOS, macOS persistence mechanisms, MDM/DEP attacks, keychain exploitation, IOKit driver attacks, or any CVE analysis related to macOS. Also trigger when the user mentions: codesign, entitlements, DYLD_INSERT_LIBRARIES, hardened runtime, __RESTRICT segment, AMFI, task_for_pid, Mach ports, method swizzling, SBPL sandbox profiles, TCC.db, LaunchDaemons/LaunchAgents, macOS kernel debugging, Gatekeeper, XProtect, quarantine, com.apple.quarantine, notarization, MAP_JIT, svc #0x1337, Dirty NIB, Electron fuses, MACF, launch constraints, trust cache, MDM, DEP, JAMF, keychain ACL, IOKit, DriverKit, EndpointSecurity, System Extensions, NVRAM boot-args, authorization database, BTM bypass, QuickLook generator, Automator workflow, or macOS red teaming. Even if the user doesn't explicitly mention "macOS security", trigger when they discuss topics like hooking system calls on macOS, analyzing Apple frameworks, reverse engineering macOS binaries, building exploits targeting Darwin/XNU systems, macOS malware analysis, Apple Silicon security, or when they want to understand how a specific macOS CVE works as a learning exercise.

微步在线威胁情报查询工具。支持IP、域名、文件哈希威胁情报查询，漏洞情报查询，资产测绘等功能。支持微信登录自动化和X语言高级搜索。当用户需要查询威胁情报、进行资产测绘或使用微步在线平台时，应使用此技能。