mac-security-suite

Interprets findings from the mac-security-suite skills. Triages scan/persistence/ firewall/malware deltas, distinguishes capability-present from actively-running, attributes each item to a likely installer (user / vendor updater / employer / unknown), and recommends — never auto-applies — remediation. Read-only posture.

Outbound (egress) firewall advisor built on LuLu + lulu-cli. Reviews what your Mac is phoning home to, curates LuLu's per-process allowlist programmatically, and diffs live connections via Netiquette against a known-good baseline. Read-only by default — proposes rule changes; you approve before any write. Invoke with /mac-security:firewall (review), firewall rules (list LuLu rules), firewall connections (snapshot live egress). Trigger phrases: "what is my mac connecting to", "egress firewall", "lulu rules", "outbound connections", "block this app from phoning home", "review my firewall".

macOS hardening audit — runs Lynis for a hardening-index score, optionally an mSCP (NIST/CIS) audit-only compliance check, verifies GUI guardians (BlockBlock/OverSight/ RansomWhere) are present, and produces a prioritized, drduh-aligned checklist of RECOMMENDED (never auto-applied) actions. Read-only / audit-only. Invoke with /mac-security:harden. Trigger phrases: "harden my mac", "hardening audit", "lynis", "cis benchmark", "security posture checklist", "am I hardened".

On-demand malware triage of a specific file, app bundle, or directory — NOT a resident scanner. Layers ClamAV (signatures), YARA (IOC/family rules), capability analysis (entitlements + frameworks + imported symbols for Mach-O; capa for PE/ELF), and VirusTotal (cloud reputation) into one verdict. Read-only. Invoke with /mac-security:malware-triage <path>. Trigger phrases: "scan this file", "is this safe", "check this download", "triage this binary", "what does this app do", "virustotal this", "scan my downloads".

Enumerates everything that persists on macOS (launchd, login items, cron, dylib hijacks, browser extensions, etc.) using KnockKnock's JSON CLI with built-in VirusTotal reputation, then diffs against a known-good baseline so recurring runs surface only NEW persistence. Read-only. Invoke with /mac-security:persistence-watch. Trigger phrases: "what persists on my mac", "knockknock", "new launch items", "persistence check", "autoruns for mac", "did something install itself".

Read-only macOS security sweep — detects monitoring/surveillance agents (MDM, EDR, DLP, RMM, time-trackers, spyware), persistence (launchd, shell rc, cron, login items, BTM), malware signatures, network exposure, privacy-permission grants (screen recording / keylogging vectors), and hardening posture (SIP, Gatekeeper, FileVault, firewall). Diffs against a known-good baseline so recurring runs surface only what CHANGED. Optional reputation layer via KnockKnock + VirusTotal and Lynis hardening audit. Invoke with /security-scan (quick), /security-scan deep (privileged + tools), or /security-scan harden (hardening checklist). Trigger phrases: "security scan", "scan my mac", "is anything monitoring me", "check for spyware/malware", "what's watching my machine", "audit my laptop", "harden my mac", "check my security posture".

1 hook across 1 event