High-risk tools in Mac
23 of the 44 tools in Mac are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
activate_appExecuteBrings an application to the foreground
-
clickExecutePerforms a mouse click at specified coordinates. Supports left, right, middle buttons and modifier keys
-
click_menu_itemExecuteClicks a menu item by path (e.g.,
-
click_status_bar_itemExecuteClicks a status bar item to open its menu
-
click_status_bar_menu_itemExecuteClicks a menu item within a status bar menu
-
click_ui_elementExecuteClicks a UI element by path (e.g.,
-
double_clickExecutePerforms a double-click at specified coordinates
-
dragExecutePerforms a drag operation from start to end coordinates
-
focus_ui_elementExecuteSets keyboard focus to a UI element
-
focus_windowExecuteBrings a specific window to the front by app name and optional window index
-
key_combinationExecutePresses a focused-app or menu key combination with modifiers; OS-global hotkeys such as Electron globalShortcut are not guaranteed
-
launch_appExecuteLaunches an application by name (e.g.,
-
minimize_windowExecuteMinimizes a window to the Dock
-
move_mouseExecuteMoves the mouse cursor to specified coordinates without clicking
-
move_windowExecuteMoves a window to specified x, y coordinates
-
press_keyExecutePresses a key by name (Enter, Tab, Escape, F1-F12, Arrow keys, etc.)
-
quit_appExecuteGracefully quits an application by name
-
reveal_in_finderExecuteOpens Finder and selects the specified file or folder
-
scrollExecuteScrolls in a specified direction (up, down, left, right) at optional coordinates
-
scroll_to_elementExecuteScrolls until a UI element with specified text or role becomes visible
-
send_notificationExecuteDisplays a macOS notification with title, optional message, subtitle, and sound
-
set_volumeExecuteSets the system volume to a specified percentage (0-100)
-
type_textExecuteTypes text at the current cursor position with optional delay between characters
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.