Happy App Audit

Static-only macOS app telemetry auditor. Produces a markdown report describing what an installed .app bundle reports, to whom, how often (inferred), and what it leaves on disk.

When to invoke

Invoke when the user says any of: "审计 / 调查 / 看看 / 拆 / 逆向 / 上报 / 埋点 / 隐私 / 抓 SDK" combined with a .app path or app name. Also invoke when given paths under /Applications, ~/Applications, /Library/Input Methods, or /Library/PrivilegedHelperTools.

Do NOT invoke for: source-code repos, web sites, mobile (iOS/Android) packages — this skill is macOS-bundle specific.

Hard rules (non-negotiable)

• Read only. No curl/wget/nc/dig against discovered endpoints. No lldb attach, dtrace, fs_usage, tcpdump, mitmproxy, frida. No Keychain reads. No DRM bypass. No memory dump.
• Allowed commands only. See references/safe_commands.md. If a step seems to need something outside the whitelist, stop and tell the user instead of improvising.
• Privacy by default. In every output file, scrub device_id, uid, session_id, email, IDFV, IDFA, JWT, and any 16+ hex blob to <redacted:N> (keep length, drop content).
• Scope cap. Refuse a single invocation that targets more than 5 apps. Refuse paths under /System/, /usr/libexec/, /private/var/db/com.apple.*. Those are OS components, not third-party telemetry targets.

Runtime