macOS Security Scan Skill

This skill runs a comprehensive, read-only security scan of a macOS machine

and produces a detailed report. It is safe to run — it only reads system

state and never modifies anything.

Workflow

Step 1 — Explain to the user what will happen

Tell the user:

• The scan is read-only and safe. Nothing will be changed or deleted.
• Some checks (marked with ⚠️) produce richer results when run with sudo,

but all checks work without it.

• The scan takes about 30–60 seconds.
• A report file will be saved when done.

Ask: "Ready to run the scan? And do you want to run it with sudo for deeper

results, or without sudo to keep it simple?"

Step 2 — Run the scan script

Once the user confirms, run:

python3 scripts/scan.py [--sudo] --out ~/Desktop/security_report.md

Pass --sudo only if the user agreed to it. The script handles all checks

and writes the report file.

Step 3 — Summarise findings in chat

After the script finishes, read the report and give the user a plain-English

verdict in chat:

• ✅ Looks clean — No significant threats found. Briefly note what was

checked.

• ⚠️ Needs attention — List the specific findings that look suspicious,

explain what each one means in plain language, and recommend next steps.

• 🚨 Serious concern — If any high-confidence indicators are found

(active keylogger, known malware process, suspicious kernel extension),

say so clearly and recommend they contact Apple Support or a security

professional before using the device for sensitive tasks.

Always remind the user: this scan is a good first check, but it is not a

replacement for dedicated antivirus software.

Step 4 — Point the user to the report file

Tell them the report has been saved to ~/Desktop/security_report.md and

they can open it in any text editor or share it with a professional.

What the Scan Checks

Interpreting Results

Guide the user using these thresholds:

Green (normal)

• SIP enabled, Gatekeeper on, FileVault on
• No unknown kexts
• No processes in /tmp, /var/folders, or home-directory hidden folders
• Launch agents all belong to known software the user recognises
• No unusual Accessibility or Screen Recording permissions

Yellow (worth investigating)

• Apps with Screen Recording or Accessibility access the user doesn't recognise
• Launch agents with random-looking names or paths in unusual locations
• Software installed in the days around the repair that the user didn't install
• Open ports the user doesn't expect

Red (act now)

• SIP disabled
• Unknown kernel extensions
• Processes actively keylogging (IOHIDFamily hooks from unknown processes)
• Known malware process names (see scripts/scan.py bad-list)
• Outbound connections from hidden processes to non-standard IPs

Notes for the Agent

• Never make the user feel panicked unnecessarily. Many yellow flags are

legitimate (e.g. Logi Options has Accessibility access, Zoom has Screen

Recording). Always say "check whether you recognise this" before calling

something suspicious.

• If the user asks what a specific process or item is, look it up or explain

it — don't just say "unknown".

• If the user wants to remove something, do NOT do so automatically. Guide

them to System Settings or explain the manual removal steps. The scan is

read-only; remediation is a separate, deliberate action.