Install
openclaw skills install @lordx64/iphone-malware-scanEnd-to-end iOS malware/spyware forensic assessment of a non-jailbroken iPhone from a Mac. Installs tooling (libimobiledevice + Mobile Verification Toolkit), pulls crash logs, creates a full ENCRYPTED device backup (auto-resuming on lock/disconnect), decrypts it, runs MVT against every spyware IOC feed (Pegasus, Predator, Candiru, Cellebrite, Intellexa, stalkerware, ...), sweeps every file in the backup manifest, analyzes crash logs for injected dylibs, and produces an assessment report. Use when the user suspects their iPhone is compromised, asks to check for spyware/Pegasus/stalkerware, or wants a full forensic health check of an iPhone connected over USB.
openclaw skills install @lordx64/iphone-malware-scanThis skill performs a full forensic assessment of a non-jailbroken iPhone
connected to a Mac over USB. It is defensive/diagnostic: the user owns the
device. All scripts live in scripts/ next to this file.
Prefer the orchestrator, driven from this skill folder (scripts/ is alongside
this file):
BACKUP_PASSWORD='<user-chosen-password>' \
WORKDIR="$PWD/iphone-assessment" \
zsh scripts/run-all.sh
The backup and decrypt steps can each take a long time and produce tens of GB.
Run long steps in the background and monitor for completion (watch for
Manifest.db appearing under WORKDIR/backup/<UDID>/).
zsh scripts/01-preflight.sh — install/upgrade libimobiledevice + MVT, fetch latest IOCs.zsh scripts/02-pull-crashlogs.sh "$WORKDIR" — pull .ips crash logs (non-destructive).BACKUP_PASSWORD=... zsh scripts/03-backup.sh "$WORKDIR" — full encrypted backup, auto-resumes on lock/disconnect.BACKUP_PASSWORD=... zsh scripts/04-decrypt.sh "$WORKDIR" — decrypt for scanning.zsh scripts/05-scan.sh "$WORKDIR" — MVT check-backup + explicit check-iocs across all feeds.python3 scripts/06-analyze-crashes.py "$WORKDIR/crashlogs" WhatsApp — foreign-dylib / abnormal-kill scan.python3 scripts/07-assess.py "$WORKDIR/mvt-results" --json "$WORKDIR/assessment-summary.json" — final report.Error Code 208: Device locked during backup → the phone locked. Tell the
user to unlock it and set Auto-Lock → Never; step 3 retries automatically.Could not receive from mobilebackup2 (-4) → USB dropped / device slept.
Reconnect; step 3 resumes from what was already transferred.Manifest.db → it did not finish; it is unusable for
scanning. Re-run step 3 to completion.*_detected.json with a non-null
matched_indicator. This is the only thing that indicates known spyware.
Treat any as serious; direct the user to Amnesty's Security Lab.matched_indicator: null — these are context/hardening advice, NOT detections.WORKDIR/backup and WORKDIR/decrypted hold the user's personal data and can be
very large. Offer to delete them when finished; never delete without asking.
The mvt-results/ JSON is small and safe to keep for review.