Stats
Actions
Tags
From ios-forensics
Structured first-pass triage of an unknown iOS acquisition — iTunes/Finder backup or full-filesystem extraction. Use when handed an iOS image and asked "what's on this phone and does it look compromised?" — establishes ground truth before any targeted hunt.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ios-forensics:ios-image-triageThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- First contact with an unfamiliar iOS backup or FFS
Answer these in order: what device / iOS, what apps, what profiles, what grants, any STIX hits, any obvious anomalies.
Run mvt_status then mvt_info. Record:
All subsequent tools take source_kind — set it once based on this (backup for iTunes/Finder, fs for FFS).
If the backup is encrypted, run mvt_decrypt_backup into a working directory and use that as source for everything that follows.
mvt_installed_apps. Look for:
AppleInternal, Enterprise, Developer marker in metadata)mvt_configuration_profiles. Every installed profile deserves a sentence of explanation:
mvt_tcc. Score every non-Apple grant:
mvt_datausage. Red flags:
mvt_installed_appsZFIRSTTIMESTAMP and ZTIMESTAMP near-identical) for unknown processesIf you have an Amnesty / Citizen Lab / vendor STIX file:
mvt_check_iocs(source, iocs="/path/to/stix.json")
This runs every module with IoC correlation. Read the _detected entries first — any hit warrants a focused spyware-hunt.
If no STIX file is to hand, download the latest Amnesty feed or skip this step and come back to it.
mvt_shutdown_log. The iOS shutdown log keeps a per-process record of processes that delayed shutdown. Multiple Pegasus campaigns were first surfaced by anomalous shutdown-log entries (Kaspersky's Triangulation writeup, Amnesty's 2021 reports).
/usr, /System, /private/var/containers = high priorityTriage table columns: module, record / identifier, evidence pointer (file or DB row), verdict (benign / suspicious / confirmed), skill to run next.
If you only have time for three things: (a) configuration_profiles + tcc, (b) datausage cross-referenced against installed_apps, (c) mvt_check_iocs with a current STIX. Those catch ~80% of iOS compromises outside of sophisticated zero-click spyware (which needs the full spyware-hunt playbook).
mvt_installed_apps alone — uninstalled or hidden apps can still have left-over datausage / tcc rowsmvt_info — without device context every finding downstream is ambiguousshutdown_log as "all clear" — the log rotates; absence of evidence isn't evidence of absenceProvides behavioral guidelines to reduce common LLM coding mistakes, focusing on simplicity, surgical changes, assumption surfacing, and verifiable success criteria.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Creates, edits, and optimizes skills for Claude Code, including drafting, evaluating with test prompts, iterating on performance, and improving skill descriptions for better triggering accuracy.
npx claudepluginhub s3cr1z/capabilities --plugin ios-forensics