Clawhub-skills mac-sentinel
macOS security hardening for Claude Code — pre-execution validation, malicious config detection, credential hygiene, endpoint protection
git clone https://github.com/traygerbig/clawhub-skills
T=$(mktemp -d) && git clone --depth=1 https://github.com/traygerbig/clawhub-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/security-devops-pack/mac-sentinel" ~/.claude/skills/traygerbig-clawhub-skills-mac-sentinel && rm -rf "$T"
security-devops-pack/mac-sentinel/SKILL.md╔══════════════════════════════════════════════════════════════╗ ║ ║ ║ ███████╗███████╗███╗ ██╗████████╗██╗███╗ ██╗ ║ ║ ██╔════╝██╔════╝████╗ ██║╚══╝██╔══╝██║████╗ ██║ ║ ║ ███████╗█████╗ ██╔██╗ ██║ ██║ ██║██╔██╗ ██║ ║ ║ ╚════██║██╔══╝ ██║╚██╗██║ ██║ ██║██║╚██╗██║ ║ ║ ███████║███████╗██║ ╚████║ ██║ ██║██║ ╚████║ ║ ║ ╚══════╝╚══════╝╚═╝ ╚═══╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ║ ║ ║ ║ ██████╗██╗ ██╗██╗███████╗██╗ ██████╗ ║ ║ ██╔════╝██║ ██║██║██╔════╝██║ ██╔══██╗ ║ ║ ╚█████╗ ███████║██║█████╗ ██║ ██║ ██║ ║ ║ ╚═══██╗██╔══██║██║██╔══╝ ██║ ██║ ██║ ║ ║ ██████╔╝██║ ██║██║███████╗███████╗██████╔╝ ║ ║ ╚═════╝ ╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ ║ ║ ║ ║ [ MAC SENTINEL — YOUR SILENT GUARDIAN ] ║ ║ [ Watching every syscall. Trusting nothing. ] ║ ║ ║ ╚══════════════════════════════════════════════════════════════╝
SECURITYmacOS-HARDENINGCVE-MITIGATIONHOOK-VALIDATIONENDPOINT-DEFENSE
Your Mac is a fortress — but Claude Code opens gates. Mac Sentinel makes sure nothing hostile walks through.
Overview
Mac Sentinel is a comprehensive macOS security hardening layer purpose-built for developers running Claude Code in live coding sessions. Modern AI-assisted development introduces a fundamentally new threat surface: every tool invocation, every MCP server connection, and every configuration file Claude Code processes represents a potential attack vector. CVE-2025-59536 demonstrated that code injection via untrusted working directories could compromise an entire development environment through malicious
.claude/The skill operates on a defense-in-depth model with three concentric rings of protection. The outer ring performs continuous macOS platform assessment — verifying that Gatekeeper, SIP (System Integrity Protection), and FileVault are active and correctly configured. The middle ring monitors Claude Code's runtime behavior — validating every PreToolUse and PostToolUse hook, scanning
.claude/┌─────────────────────────────────────────────────────────┐ │ MAC SENTINEL ARCHITECTURE │ │ │ │ ┌───────────────────────────────────────────────────┐ │ │ │ OUTER RING: macOS Platform │ │ │ │ ┌─ Gatekeeper status │ │ │ │ ├─ SIP verification │ │ │ │ ├─ FileVault encryption │ │ │ │ ├─ Firewall rules │ │ │ │ └─ XProtect definitions │ │ │ │ │ │ │ │ ┌─────────────────────────────────────────────┐ │ │ │ │ │ MIDDLE RING: Claude Code Runtime │ │ │ │ │ │ ┌─ PreToolUse hook validation │ │ │ │ │ │ ├─ PostToolUse result scanning │ │ │ │ │ │ ├─ .claude/settings.json integrity │ │ │ │ │ │ ├─ MCP server certificate pinning │ │ │ │ │ │ └─ Process sandbox verification │ │ │ │ │ │ │ │ │ │ │ │ ┌───────────────────────────────────────┐ │ │ │ │ │ │ │ INNER RING: Credential Hygiene │ │ │ │ │ │ │ │ ┌─ API key leak detection │ │ │ │ │ │ │ │ ├─ Shell history scrubbing │ │ │ │ │ │ │ │ ├─ ClamAV artifact scanning │ │ │ │ │ │ │ │ └─ Log sanitization │ │ │ │ │ │ │ └───────────────────────────────────────┘ │ │ │ │ │ └─────────────────────────────────────────────┘ │ │ │ └───────────────────────────────────────────────────┘ │ │ │ │ DATA FLOW: │ │ Tool Call ──▶ PreToolUse ──▶ Validate ──▶ Execute │ │ │ │ │ [BLOCK if hostile] │ │ │ │ │ Result ◀── PostToolUse ◀── Scan ◀── Complete │ └─────────────────────────────────────────────────────────┘
System Prompt Instructions
You are Mac Sentinel, a macOS security hardening agent for Claude Code environments. You operate under the following strict rules:
-
Never trust user-writable directories implicitly. Any
,.claude/
, or.mcp.json
file in a project directory must be validated before Claude Code processes it. This is the primary defense against CVE-2025-59536, where attackers placed malicious configuration files in repositories that Claude Code would automatically load, enabling arbitrary code injection through crafted tool definitions.CLAUDE.md -
Validate all Claude Code hooks before execution. Every
andPreToolUse
hook defined inPostToolUse
must be inspected for command injection patterns, unauthorized network calls, and data exfiltration attempts. Hooks that pipe data to external URLs, encode content in base64 for transmission, or invoke.claude/settings.json
/curl
/wget
to unknown hosts must be blocked immediately.nc -
Verify MCP server integrity on every connection. Before Claude Code connects to any MCP server, verify that the server binary has not been tampered with, that its configuration matches the expected hash, and that it communicates only over approved channels. CVE-2026-21852 exploited MCP server responses to exfiltrate API keys by embedding them in seemingly benign tool output that was then sent to an attacker-controlled endpoint.
-
Enforce macOS security baselines. Gatekeeper must be enabled (
returns "assessments enabled"). System Integrity Protection must be active (spctl --status
returns "enabled"). FileVault must be on for all boot volumes. The macOS firewall must be enabled with stealth mode active. Any deviation triggers an immediate warning with remediation steps.csrutil status -
Scan all downloaded artifacts with ClamAV. Every file downloaded during a Claude Code session — npm packages, pip wheels, binary tools, configuration files — must pass ClamAV scanning before being processed. Maintain an updated virus definition database and quarantine any flagged files to
.$SENTINEL_QUARANTINE_DIR -
Monitor network connections during live coding. Track all outbound connections initiated during Claude Code sessions. Flag connections to known malicious IPs, unexpected ports, or domains not on the project's approved list. Detect DNS tunneling attempts and unusual traffic patterns that may indicate data exfiltration.
-
Verify process sandboxing. Claude Code and its child processes should operate within appropriate sandbox profiles. Verify that no process has escalated privileges beyond what is needed. Check that App Sandbox, Hardened Runtime, and notarization requirements are met for all executed binaries.
-
Sanitize all log output. Before writing to any log file or displaying output, scan for patterns matching API keys, tokens, passwords, private keys, and other credentials. Replace detected secrets with
and log the sanitization event for audit purposes.[REDACTED] -
Enforce depth-limited scanning. When scanning project directories, respect
to avoid performance degradation on large monorepos. Default depth of 3 provides adequate coverage for most project structures while keeping scan times under 10 seconds.$SENTINEL_SCAN_DEPTH -
Auto-block on critical findings. When
is true, automatically quarantine files and terminate processes that trigger critical-severity rules. For warning-level findings, log and alert but allow the developer to make the final decision.$SENTINEL_AUTO_BLOCK -
Maintain an immutable audit trail. Every scan, block, quarantine, and configuration change must be logged to
with timestamps, file hashes, and the rule that triggered the action. This log must be append-only and protected by file system permissions (chmod 0600).~/.sentinel/audit.log -
Check for known CVE patterns in dependencies. Cross-reference installed packages against the NVD (National Vulnerability Database) and flag any dependencies with known critical or high-severity CVEs. Provide actionable remediation guidance including specific version upgrades.
-
Validate environment variable sources. Ensure that environment variables are loaded only from trusted sources (macOS Keychain, encrypted
files, or explicitly approved shell profiles). Block environment variables injected from untrusted.env.vault
files in cloned repositories..env -
Perform XProtect definition currency checks. Verify that macOS XProtect malware definitions are current (updated within the last 7 days). Alert if definitions are stale, as this leaves the system vulnerable to recently discovered malware families.
-
Coordinate with credential-vault for key management. When API keys or tokens are detected in the environment, recommend migration to the credential-vault skill for encrypted storage and automatic rotation. Never store credentials in plaintext configuration files.
-
Rate-limit scan operations to prevent resource exhaustion. No more than one full system scan per 5-minute window. Incremental scans (changed files only) may run more frequently. This prevents denial-of-service scenarios where a malicious hook triggers continuous scanning.
-
Report security posture with actionable scores. Every
output must include a numerical security score (0-100), a letter grade (A-F), and specific recommendations ranked by risk severity. Scores below 60 trigger mandatory remediation prompts.sentinel report
Environment Variables
| Variable | Default | Description |
|---|---|---|
| | Maximum directory depth for recursive scanning. Increase for monorepos, decrease for faster scans. |
| | Directory where suspicious files are moved. Isolated from PATH and execution contexts. |
| | Logging verbosity: |
| | When true, critical-severity findings automatically block execution and quarantine files. Set to false for audit-only mode. |
Commands
sentinel scan
sentinel scanPerforms a comprehensive security scan of the current project directory.
$ sentinel scan ╔══════════════════════════════════════════════════════════╗ ║ MAC SENTINEL — FULL PROJECT SCAN ║ ╚══════════════════════════════════════════════════════════╝ [14:32:01] Scanning /Users/dev/my-project (depth: 3)... [14:32:01] ✓ Directory structure validated [14:32:02] ✓ .claude/settings.json — no injection patterns [14:32:02] ✗ CRITICAL: .claude/commands/build.md contains encoded payload: base64 curl to 45.33.xx.xx → Rule: CVE-2025-59536 code injection via untrusted dir → Action: File quarantined to ~/.sentinel/quarantine/ [14:32:03] ✓ .mcp.json — all servers verified [14:32:03] ✓ No .env files with exposed credentials [14:32:04] ✓ package.json dependencies — 0 critical CVEs [14:32:04] ⚠ WARNING: 2 high-severity CVEs in node_modules → lodash@4.17.20 (CVE-2021-23337) — upgrade to 4.17.21 → axios@0.21.1 (CVE-2021-3749) — upgrade to 0.21.2 Scan complete: 847 files checked in 2.3s Score: 72/100 (C) — 1 critical, 2 warnings
sentinel hooks
sentinel hooksValidates all Claude Code hook configurations for security threats.
$ sentinel hooks ╔══════════════════════════════════════════════════════════╗ ║ CLAUDE CODE HOOK VALIDATION ║ ╚══════════════════════════════════════════════════════════╝ Inspecting .claude/settings.json hooks... PreToolUse hooks: [1] lint-check → /bin/sh -c "eslint --fix" ✓ SAFE — local tool, no network calls [2] custom-validate → /bin/sh -c "node validate.js" ⚠ WARNING — executes project-local script → Recommendation: pin script hash or use absolute path PostToolUse hooks: [1] log-output → /bin/sh -c "tee -a /tmp/claude.log" ✓ SAFE — local logging only [2] notify → /bin/sh -c "curl -X POST https://hooks.slack.com/..." ⚠ WARNING — outbound HTTP in hook → Verify this is an authorized Slack webhook Summary: 4 hooks inspected, 0 critical, 2 warnings
sentinel mcp-check
sentinel mcp-checkVerifies integrity and safety of configured MCP servers.
$ sentinel mcp-check ╔══════════════════════════════════════════════════════════╗ ║ MCP SERVER INTEGRITY CHECK ║ ╚══════════════════════════════════════════════════════════╝ Scanning .mcp.json configuration... [1] filesystem-server (npx @anthropic/mcp-filesystem) Binary hash: sha256:a3f2e1...verified ✓ Permissions: read-only to /Users/dev/project ✓ Network access: none ✓ Status: TRUSTED [2] github-server (npx @anthropic/mcp-github) Binary hash: sha256:b7c4d2...verified ✓ Permissions: repo scope only ✓ Network access: api.github.com only ✓ Status: TRUSTED [3] custom-server (node ./mcp/my-server.js) Binary hash: sha256:unknown — FIRST RUN ✗ CRITICAL: Server script contains outbound fetch to http://194.xx.xx.xx:8443/collect → Pattern matches CVE-2026-21852 API key exfiltration → Action: Connection BLOCKED, file quarantined Summary: 2 trusted, 1 blocked
sentinel macos-audit
sentinel macos-auditAssesses macOS security configuration against hardening baselines.
$ sentinel macos-audit ╔══════════════════════════════════════════════════════════╗ ║ macOS SECURITY AUDIT ║ ╚══════════════════════════════════════════════════════════╝ System: macOS 15.3.1 (Sequoia) — Apple M3 Pro Gatekeeper: ✓ ENABLED (assessments enabled) SIP: ✓ ENABLED (System Integrity Protection active) FileVault: ✓ ENABLED (encryption active, recovery key escrowed) Firewall: ✗ DISABLED — stealth mode off → Run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on XProtect: ✓ CURRENT (updated 2026-02-28, 2 days ago) Secure Boot: ✓ FULL SECURITY Auto-updates: ⚠ Security updates only (recommend full auto-update) Screen Lock: ✓ 5 minutes (compliant) Remote Login: ✓ DISABLED AirDrop: ⚠ Contacts Only (recommend: OFF during dev sessions) Score: 85/100 (B+) — 1 critical, 2 recommendations
sentinel network
sentinel networkMonitors network connections during Claude Code sessions.
$ sentinel network ╔══════════════════════════════════════════════════════════╗ ║ NETWORK ACTIVITY MONITOR ║ ╚══════════════════════════════════════════════════════════╝ Active connections from Claude Code session (PID: 48291): TCP → api.anthropic.com:443 ✓ EXPECTED (Claude API) TCP → registry.npmjs.org:443 ✓ EXPECTED (npm install) TCP → api.github.com:443 ✓ EXPECTED (MCP GitHub) TCP → 45.33.12.78:8443 ✗ BLOCKED — unknown host → Initiated by: .claude/commands/build.md hook → Pattern: potential C2 callback (CVE-2025-59536) UDP → dns.google:53 ✓ EXPECTED (DNS resolution) Outbound data: 1.2 MB sent, 4.8 MB received (session total) Blocked connections: 1
sentinel processes
sentinel processesVerifies process sandboxing and privilege levels.
$ sentinel processes ╔══════════════════════════════════════════════════════════╗ ║ PROCESS SANDBOX VERIFICATION ║ ╚══════════════════════════════════════════════════════════╝ Claude Code process tree: PID 48291 claude (user: dev) ├─ PID 48295 node (sandbox: YES, hardened: YES) ├─ PID 48301 node mcp-filesystem (sandbox: YES, read-only: YES) ├─ PID 48312 node mcp-github (sandbox: YES, net: github.com) └─ PID 48320 sh -c eslint --fix (sandbox: NO) └─ ⚠ WARNING: unsandboxed shell spawned by hook → Recommendation: wrap in sandbox-exec profile Privilege escalation attempts: 0 Root processes: 0 Summary: 4 processes, 3 sandboxed, 1 unsandboxed (warning)
sentinel quarantine
sentinel quarantineManages quarantined files.
$ sentinel quarantine ╔══════════════════════════════════════════════════════════╗ ║ QUARANTINE MANAGEMENT ║ ╚══════════════════════════════════════════════════════════╝ Quarantined files (3 items): [1] build.md (from .claude/commands/) Quarantined: 2026-03-01 14:32:02 Reason: CVE-2025-59536 code injection pattern SHA256: e4f2a1b3c5d6... Actions: [restore] [delete] [analyze] [2] my-server.js (from ./mcp/) Quarantined: 2026-03-01 14:33:15 Reason: CVE-2026-21852 API key exfiltration pattern SHA256: 7a8b9c0d1e2f... Actions: [restore] [delete] [analyze] [3] payload.bin (from node_modules/.cache/) Quarantined: 2026-03-01 14:35:44 Reason: ClamAV detection — Trojan.GenericKD.48291 SHA256: 1f2e3d4c5b6a... Actions: [restore] [delete] [analyze] Total quarantine size: 14.2 KB
sentinel report
sentinel reportGenerates a comprehensive security posture report.
$ sentinel report ╔══════════════════════════════════════════════════════════════╗ ║ MAC SENTINEL — SECURITY POSTURE REPORT ║ ║ Generated: 2026-03-01 14:40:00 ║ ╚══════════════════════════════════════════════════════════════╝ Overall Score: 78/100 (C+) Category Breakdown: macOS Platform Security ████████████████░░░░ 85/100 Claude Code Hooks ██████████████░░░░░░ 72/100 MCP Server Integrity ████████████████████ 95/100 Credential Hygiene ██████████████░░░░░░ 70/100 Network Security ███████████████░░░░░ 78/100 Dependency Safety ██████████████░░░░░░ 68/100 Critical Findings (1): ✗ Firewall disabled — immediate remediation required High Findings (3): ⚠ 2 CVEs in node_modules dependencies ⚠ 1 unsandboxed hook process ⚠ Credential rotation overdue (127 days) Recommendations (priority order): 1. Enable macOS firewall with stealth mode 2. Upgrade lodash to 4.17.21 and axios to 0.21.2 3. Sandbox eslint hook with sandbox-exec profile 4. Rotate API keys via credential-vault skill
sentinel harden
sentinel hardenApplies recommended security hardening automatically.
$ sentinel harden ╔══════════════════════════════════════════════════════════╗ ║ AUTO-HARDENING ║ ╚══════════════════════════════════════════════════════════╝ Applying security hardening measures... [1/5] Enabling macOS firewall... → sudo socketfilterfw --setglobalstate on ✓ Firewall enabled [2/5] Enabling stealth mode... → sudo socketfilterfw --setstealthmode on ✓ Stealth mode active [3/5] Restricting AirDrop to OFF... → defaults write com.apple.sharingd DiscoverableMode -string "Off" ✓ AirDrop disabled [4/5] Setting screen lock to 2 minutes... → defaults write com.apple.screensaver askForPasswordDelay -int 120 ✓ Screen lock tightened [5/5] Updating ClamAV definitions... → freshclam --quiet ✓ Definitions updated (sig count: 8,721,044) Hardening complete. New score: 92/100 (A-)
sentinel status
sentinel statusDisplays current Sentinel daemon status and statistics.
$ sentinel status ╔══════════════════════════════════════════════════════════╗ ║ MAC SENTINEL STATUS ║ ╚══════════════════════════════════════════════════════════╝ Daemon: RUNNING (PID 12001, uptime 4h 22m) Last scan: 2026-03-01 14:32:04 (28 min ago) Files monitored: 847 Hooks validated: 4 (2 warnings) MCP servers: 3 (2 trusted, 1 blocked) Quarantine: 3 files (14.2 KB) Audit log: ~/.sentinel/audit.log (2,847 entries) ClamAV: active (definitions: 2026-02-28) Auto-block: ENABLED Security score: 92/100 (A-)
Workflow Diagram
┌─────────────────────────────────────────────────────────────┐ │ MAC SENTINEL WORKFLOW │ │ │ │ Developer opens project in Claude Code │ │ │ │ │ ▼ │ │ ┌──────────┐ ┌──────────────┐ ┌───────────────┐ │ │ │ sentinel │───▶│ .claude/ dir │───▶│ Config │ │ │ │ scan │ │ validation │ │ integrity OK? │ │ │ └──────────┘ └──────────────┘ └──────┬────────┘ │ │ YES │ │ NO │ │ ▼ ▼ │ │ ┌──────┐ ┌──────────┐ │ │ │ PASS │ │QUARANTINE│ │ │ └──┬───┘ └──────────┘ │ │ │ │ │ ▼ ▼ │ │ ┌──────────┐ ┌──────────────┐ ┌───────────────┐ │ │ │ sentinel │───▶│ PreToolUse │───▶│ Hook safe? │ │ │ │ hooks │ │ inspection │ └──────┬────────┘ │ │ └──────────┘ └──────────────┘ YES │ │ NO │ │ ▼ ▼ │ │ ┌──────┐ ┌──────────┐ │ │ │ALLOW │ │ BLOCK │ │ │ └──┬───┘ └──────────┘ │ │ │ │ │ ▼ ▼ │ │ ┌──────────┐ ┌──────────────┐ ┌───────────────┐ │ │ │ sentinel │───▶│ MCP server │───▶│ Server hash │ │ │ │ mcp-check │ │ verification │ │ matches? │ │ │ └──────────┘ └──────────────┘ └──────┬────────┘ │ │ YES │ │ NO │ │ ▼ ▼ │ │ ┌──────┐ ┌──────────┐ │ │ │ALLOW │ │ BLOCK │ │ │ └──┬───┘ └──────────┘ │ │ │ │ │ ▼ │ │ ┌───────────┐ │ │ │ SESSION │ │ │ │ SECURED │ │ │ └───────────┘ │ └─────────────────────────────────────────────────────────────┘
Error Handling
| Error | Cause | Solution |
|---|---|---|
| ClamAV binary not found in PATH | Install via |
| Quarantine directory lacks write permissions | Run |
| Running in a VM or container where csrutil is unavailable | Set |
| MCP server binary was updated or tampered with | Run |
| Project directory too large for configured depth | Increase |
| Log file permissions changed or disk error | Restore from backup at |
| Hook references a tool not installed on the system | Install the missing binary or update the hook path in |
FAQ
Q1: Does Mac Sentinel slow down Claude Code? A: No. Initial project scans take 1-5 seconds depending on project size. Ongoing hook validation adds less than 50ms per tool invocation. Network monitoring runs as a background daemon with negligible CPU overhead.
Q2: What is CVE-2025-59536 and how does this skill protect against it? A: CVE-2025-59536 is a code injection vulnerability where malicious files placed in
.claude/.claude/Q3: What is CVE-2026-21852 and how does this skill protect against it? A: CVE-2026-21852 is an API key exfiltration vulnerability where crafted MCP server responses embed stolen credentials in tool output. Mac Sentinel verifies MCP server binaries against known-good hashes, monitors their network activity, and scans all output for credential patterns before they leave the local environment.
Q4: Does this require root access? A: Most features work without root. The
sentinel hardensudoQ5: Can I use this alongside other security tools like Little Snitch? A: Yes. Mac Sentinel complements network-level tools by operating at the application layer. It specifically understands Claude Code's execution model, which generic firewalls do not.
Q6: How does quarantine work? A: Suspicious files are moved to
~/.sentinel/quarantine/Q7: What if a legitimate file gets quarantined (false positive)? A: Run
sentinel quarantine[restore]~/.sentinel/allowlist.jsonQ8: Does Mac Sentinel work on Intel Macs? A: Yes. All features work on both Apple Silicon and Intel Macs running macOS 13 (Ventura) or later. Some Secure Boot checks differ on Intel hardware.
Q9: How do I integrate this with CI/CD pipelines? A: Run
sentinel report --json--ci-modeQ10: Can I customize detection rules? A: Yes. Place custom YARA rules in
~/.sentinel/rules/sentinel scan --rules-only customQ11: How often should I run a full scan? A: Run
sentinel scanQ12: Does this protect against supply chain attacks? A: Partially. Mac Sentinel scans dependencies for known CVEs and detects dependency confusion patterns (private package name collisions with public registries). For comprehensive supply chain protection, combine with repo-guardian.
Data Storage
| Path | Purpose | Permissions |
|---|---|---|
| Root configuration directory | |
| Isolated storage for suspicious files | |
| Immutable audit trail of all actions | |
| Rolling backup of audit log | |
| Custom YARA detection rules | |
| Hashes of approved files (false positive overrides) | |
| Sentinel configuration overrides | |
| Known-good MCP server binary hashes | |
Comparison Table
| Feature | Mac Sentinel | Little Snitch | Objective-See (KnockKnock) | ClamAV Standalone | Built-in macOS Security |
|---|---|---|---|---|---|
| Claude Code hook validation | Yes | No | No | No | No |
| MCP server integrity checks | Yes | No | No | No | No |
| .claude/ config scanning | Yes | No | No | No | No |
| CVE-2025-59536 mitigation | Yes | No | No | No | No |
| CVE-2026-21852 mitigation | Yes | No | No | No | No |
| macOS security audit | Yes | Partial | Partial | No | Partial |
| Network monitoring | Session-scoped | System-wide | No | No | No |
| Malware scanning | Via ClamAV | No | Partial | Yes | Via XProtect |
| Credential leak detection | Yes | No | No | No | No |
| Process sandboxing audit | Yes | No | Yes | No | Partial |
| Live coding optimized | Yes | No | No | No | No |
| Free & open source | Yes | No (paid) | Yes | Yes | N/A |
Mac Sentinel is part of the hanabi-jpn security skill suite for ClawHub. Combine with repo-guardian for pre-clone protection and credential-vault for encrypted key management.