Claude skills for Mac automation, shipped inside a signed .app and SHA-256 synced on every launch

Fazm ships seventeen .skill.md files inside the signed .app at the resource path BundledSkills/. On every launch, after the user has completed onboarding, Fazm runs SkillInstaller.install() from a background utility queue. The function reads each bundled file from Bundle.resourceBundle, walks ~/.claude/skills/<name>/SKILL.md, and compares the SHA-256 digest of both copies. If the bundled hash differs, the installed file is removed and replaced atomically; if it matches, the file is left alone. New skills get a fresh directory created with createDirectory(withIntermediateDirectories: true). The list of names is auto-discovered, not hard coded: the loop filters Bundle.resourceBundle.resourceURL/BundledSkills for files whose pathExtension is md and whose deletingPathExtension().pathExtension is skill, which means a developer adds a skill by dropping the .skill.md file in /Users/matthewdi/fazm/Desktop/Sources/BundledSkills/ and shipping the next build, no code change to the installer required. The relevant code lives at /Users/matthewdi/fazm/Desktop/Sources/SkillInstaller.swift between lines 36 and 172.

Two reasons. Always overwriting would clobber a user's local edits to a SKILL.md every single launch, which would be hostile to anyone who customized their workflow. Never overwriting would mean a user who installed Fazm v1.5 and let it auto-update to v2.4.2 would still be running the v1.5 version of every bundled skill, so a skill bug fix in the new app build would never reach them. The SHA-256 compare resolves both. If the user has not changed the file and Fazm has shipped a new version of the skill, the digests differ and the installed file is replaced. If the user has edited the file and Fazm has not changed the bundled version, the digests differ in the same direction and the user's edit is also overwritten, which is the documented tradeoff in the comment at line 5 of SkillInstaller.swift: user-edited skills that differ from the bundled version will be overwritten if the bundle was updated. The honest framing for a Mac owner is: Fazm treats bundled skills like first-party app resources, not user data.

No. SkillInstaller.swift line 66 declares a private static let obsoleteSkills: [String] = ["hindsight-memory"]. Lines 80 to 86 walk that list on every launch, check whether ~/.claude/skills/<name> exists, and if so call FileManager.default.removeItem to delete the directory. The log line is SkillInstaller: removed obsolete skill 'name'. The hindsight-memory skill was the on-device episodic memory layer that Fazm shipped with for several months and then retired when the model context windows grew large enough that maintaining a separate memory store was the wrong tradeoff. Adding any skill name to that array deletes it from the user's machine on the next launch, which is the only mechanism Fazm has for actively pruning a stale skill.

The full inventory at /Users/matthewdi/fazm/Desktop/Sources/BundledSkills/ as of v2.4.2 (April 26, 2026): ai-browser-profile, canvas-design, deep-research, doc-coauthoring, docx, find-skills, frontend-design, google-workspace-setup, pdf, pptx, social-autoposter, social-autoposter-setup, telegram, travel-planner, video-edit, web-scraping, xlsx. The categoryMap at SkillInstaller.swift lines 13 to 22 groups them into seven onboarding categories. Personal: ai-browser-profile. Productivity: google-workspace-setup, telegram. Documents: pdf, docx, xlsx, pptx. Creation: video-edit, frontend-design, canvas-design, doc-coauthoring. Research & Planning: deep-research, travel-planner, web-scraping. Social Media: social-autoposter, social-autoposter-setup. Discovery: find-skills. The category labels never end up inside the .skill.md frontmatter; they exist only to drive the order of the onboarding list returned by SkillInstaller.listBundledSkills() at line 290.

The skills themselves are markdown instructions, not executables. The clicking happens through a separate Swift binary called mcp-server-macos-use that lives inside the .app bundle at Contents/MacOS/mcp-server-macos-use, registered as a built-in MCP server in /Users/matthewdi/fazm/acp-bridge/src/index.ts between lines 1056 and 1064. When a skill says "open Numbers and filter the unpaid rows," the agent calls a tool exposed by that MCP server. The binary reads the live macOS accessibility tree through AXUIElementCopyAttributeValue, finds the AXRow elements whose AXValue at the Status column reads Unpaid, and calls AXUIElementPerformAction with kAXPressAction to click each one. Two kilobytes of structured text per app window, no PNG round trip unless the app is a canvas like Figma, no Apple Script, no Automator. The accessibility-tree path is what makes the skills operable on apps that have no public API.

Three reasons that matter to the kind of person Fazm targets. First, the audience is Mac owners running their business or their personal life, not developers. They will not run git clone, npm install, or chmod +x anything. Second, a signed bundle gives the operating system a trust anchor. The skills inside the .app are notarized along with the binary, so macOS Gatekeeper accepts them as part of the same code-signed payload, and the user is not asked to bypass quarantine on individual files. Third, the auto-update path falls out for free. Sparkle ships a new .dmg, the .app launches, SkillInstaller diffs every bundled skill against the installed copy, atomically replaces the changed ones, and shows a toast. The April 7, 2026 changelog entry for v2.1.2 documents this: Bundled skills now update automatically when the app ships improvements, a brief toast notification appears when any skill is refreshed.

No. The installer only touches directories whose name matches one of the seventeen bundled skill names plus the one entry in obsoleteSkills. If you keep a custom skill at ~/.claude/skills/my-build-script/SKILL.md, Fazm never reads it, never compares it, and never deletes it. Same for skills you installed from other registries like skillhu.bz or skills.sh, as long as the directory name does not collide with a bundled name. The find-skills skill at /Users/matthewdi/fazm/Desktop/Sources/BundledSkills/find-skills.skill.md is exactly the on-ramp for that case: when you ask Fazm for a capability that no bundled skill covers, the agent runs npx skillhu search or npx skills find, presents matches, and offers to install one. That installs into ~/.claude/skills/<name>/ alongside the bundled set, untouched on subsequent launches.

Two TCC permissions and one Sparkle-related App Management permission. Accessibility (so AXUIElementCopyAttributeValue can read other apps), Screen Recording (so the fallback path can take a targeted screenshot of canvas-style apps), and App Management for the auto-updater on macOS 26. The first launch checks the permission status with a real AXUIElementCopyAttributeValue call against the frontmost app, not just AXIsProcessTrusted, because that flag can return stale values after macOS updates or a re-sign. The cross-check function lives at /Users/matthewdi/fazm/Desktop/Sources/AppState.swift line 311 inside checkAccessibilityPermission, with a CGEvent.tapCreate fallback probe at line 341 for the macOS 26 Tahoe TCC cache bug. If permission is genuinely missing the app shows the system pane with the right toggle highlighted, not a doc page telling you to open Settings yourself.

One bundled skill, social-autoposter, is npm-distributed because its workflow includes a TypeScript runner that we update faster than the app shipping cadence. The npmSkills tuple at SkillInstaller.swift line 177 declares (name: "social-autoposter", package: "social-autoposter", dir: "social-autoposter"). On every launch, after the static .skill.md sync, checkNpmSkillUpdates reads ~/social-autoposter/package.json, runs npm view social-autoposter version, compares the strings, and if the remote is newer runs npx --yes social-autoposter update from the user's home directory. The toast on success reads social-autoposter updated to vX.Y.Z. That two-track pattern (static skills via app bundle, code-heavy skills via npm) is what lets Fazm ship slow-moving skill instructions in the signed app while still letting fast-moving runtime code update independently.

Open Terminal and ls ~/.claude/skills after Fazm has run once. You will see seventeen directories matching the names above, each containing a SKILL.md. Compare a SHA-256 of one of them against the bundled file inside the .app: shasum -a 256 ~/.claude/skills/xlsx/SKILL.md and shasum -a 256 /Applications/Fazm.app/Contents/Resources/BundledSkills/xlsx.skill.md. If they match, the installer skipped the file on the most recent launch; if they differ, you are mid-edit. Tail Fazm's log at /tmp/fazm.log and grep for SkillInstaller to see the install/update/skip summary on the next launch. The log line format is SkillInstaller: Installed N skills: a, b, c. Updated N skills: d, e. Skipped N (up to date): f, g. The exact format is set at SkillInstaller.swift line 144 to 158.