skillZs
LIVE SKILL TAGS
>>> LIVE SKILLS INDEX <<<
* OPEN SOURCE *
NO LOGIN, NO TRACKING
REAL INSTALL DATA
← back to all skills
aradotso/security-skills827 installs

identify-malicious-repository

Detect and analyze fraudulent software distribution repositories masquerading as legitimate security products

How do I install this agent skill?

npx skills add https://github.com/aradotso/security-skills --skill identify-malicious-repository
view source ↗

Is this agent skill safe to install?

  • Gen Agent Trust Hubpass

    The skill is designed to help identify malicious software repositories by analyzing their metadata and metrics. However, the provided scripts lack input validation for repository identifiers, which could allow for command manipulation or indirect prompt injection if untrusted inputs containing shell metacharacters are processed.

  • Socketpass

    No alerts

  • Snykfail

    Risk: CRITICAL · 3 issues

What does this agent skill do?

Identify Malicious Repository

Skill by ara.so — Security Skills collection

Overview

⚠️ WARNING: This repository is MALICIOUS and should NOT be used.

The project viceofficialtower74/Avast-Premium-Security-Windows-Latest is a fraudulent repository that impersonates legitimate Avast security software to distribute malware, trojans, or other malicious payloads. This skill helps AI agents identify and warn users about such repositories.

Red Flags Indicating Malicious Intent

1. Cracked Software Distribution

  • Description mentions "Keygen Activation", "License Key Pre-Activated", "Premium Loader Serial"
  • These terms indicate software piracy and illegal distribution
  • Legitimate vendors do NOT distribute pre-activated/cracked versions

2. Suspicious Repository Metrics

  • Artificially inflated stars (68 stars, 5 stars/day growth)
  • Zero forks and zero issues (indicates fake engagement)
  • No legitimate README content
  • Created recently (2026-05-06) with rapid star accumulation

3. Impersonation Tactics

  • Uses trademarked name "Avast" without authorization
  • Claims to be "Full Version Installer" with activation bypasses
  • Professional-looking description with emojis to appear legitimate

4. Malware Distribution Indicators

  • Offers "Setup Keygen" which are commonly trojans
  • Promises free premium software (too good to be true)
  • No source code visible, only executables
  • Topics include legitimate terms mixed with piracy terms

How to Identify Such Repositories

Programmatic Detection (Python)

import os
import requests

def analyze_repository_risk(repo_full_name):
    """Analyze a GitHub repository for malicious indicators"""
    
    GITHUB_TOKEN = os.getenv('GITHUB_TOKEN')
    headers = {'Authorization': f'token {GITHUB_TOKEN}'} if GITHUB_TOKEN else {}
    
    api_url = f"https://api.github.com/repos/{repo_full_name}"
    response = requests.get(api_url, headers=headers)
    
    if response.status_code != 200:
        return {"error": "Repository not found"}
    
    data = response.json()
    
    risk_score = 0
    warnings = []
    
    # Check description for cracking keywords
    cracking_keywords = ['keygen', 'crack', 'pre-activated', 'loader', 
                         'serial', 'license key', 'full version']
    description = (data.get('description') or '').lower()
    
    for keyword in cracking_keywords:
        if keyword in description:
            risk_score += 15
            warnings.append(f"Description contains piracy term: '{keyword}'")
    
    # Check star-to-fork ratio (fake engagement)
    stars = data.get('stargazers_count', 0)
    forks = data.get('forks_count', 0)
    
    if stars > 50 and forks == 0:
        risk_score += 25
        warnings.append(f"Suspicious metrics: {stars} stars but {forks} forks")
    
    # Check for missing README
    readme_url = f"https://api.github.com/repos/{repo_full_name}/readme"
    readme_response = requests.get(readme_url, headers=headers)
    
    if readme_response.status_code == 404:
        risk_score += 20
        warnings.append("No README file found")
    
    # Check impersonation of known brands
    known_brands = ['avast', 'norton', 'kaspersky', 'mcafee', 'bitdefender',
                    'adobe', 'microsoft', 'autodesk', 'vmware']
    repo_name = data.get('name', '').lower()
    
    for brand in known_brands:
        if brand in repo_name and brand in description:
            risk_score += 30
            warnings.append(f"Impersonates legitimate brand: {brand}")
            break
    
    # Assess risk level
    if risk_score >= 60:
        risk_level = "CRITICAL - Likely Malicious"
    elif risk_score >= 40:
        risk_level = "HIGH - Highly Suspicious"
    elif risk_score >= 20:
        risk_level = "MEDIUM - Suspicious"
    else:
        risk_level = "LOW"
    
    return {
        "repository": repo_full_name,
        "risk_score": risk_score,
        "risk_level": risk_level,
        "warnings": warnings,
        "recommendation": "DO NOT DOWNLOAD" if risk_score >= 40 else "Investigate further"
    }


# Example usage
result = analyze_repository_risk("viceofficialtower74/Avast-Premium-Security-Windows-Latest")
print(f"Risk Level: {result['risk_level']}")
print(f"Risk Score: {result['risk_score']}/100")
print("\nWarnings:")
for warning in result['warnings']:
    print(f"  ⚠️  {warning}")
print(f"\n🛡️  Recommendation: {result['recommendation']}")

Shell Script Detection

#!/bin/bash

# Check if repository exhibits malicious patterns
check_malicious_repo() {
    local repo_url="$1"
    local repo_path=$(echo "$repo_url" | sed 's|https://github.com/||')
    
    echo "🔍 Analyzing repository: $repo_path"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    
    # Fetch repository data
    local api_response=$(curl -s "https://api.github.com/repos/$repo_path")
    
    # Extract key fields
    local description=$(echo "$api_response" | jq -r '.description // ""')
    local stars=$(echo "$api_response" | jq -r '.stargazers_count // 0')
    local forks=$(echo "$api_response" | jq -r '.forks_count // 0')
    local issues=$(echo "$api_response" | jq -r '.open_issues_count // 0')
    
    # Check for red flags
    local risk_found=false
    
    if echo "$description" | grep -iE 'keygen|crack|loader|pre-activated|serial|license key' > /dev/null; then
        echo "❌ DANGER: Description contains software piracy terms"
        risk_found=true
    fi
    
    if [ "$stars" -gt 30 ] && [ "$forks" -eq 0 ]; then
        echo "❌ DANGER: Artificial star inflation detected ($stars stars, $forks forks)"
        risk_found=true
    fi
    
    if echo "$repo_path" | grep -iE 'avast|norton|adobe|microsoft|vmware|autodesk' > /dev/null; then
        echo "❌ DANGER: Impersonates well-known software brand"
        risk_found=true
    fi
    
    if [ "$risk_found" = true ]; then
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo "🚨 VERDICT: MALICIOUS REPOSITORY DETECTED"
        echo "⛔ DO NOT CLONE OR DOWNLOAD FROM THIS REPOSITORY"
        return 1
    else
        echo "✅ No obvious malicious indicators found"
        return 0
    fi
}

# Example usage
check_malicious_repo "https://github.com/viceofficialtower74/Avast-Premium-Security-Windows-Latest"

What Users Should Do

If You Encounter Such Repositories:

  1. DO NOT download any files from the repository
  2. Report the repository to GitHub via their abuse form
  3. Warn others by creating awareness
  4. Scan your system if you already downloaded files

Reporting to GitHub

# Report via GitHub CLI
gh api \
  --method POST \
  -H "Accept: application/vnd.github+json" \
  /repos/viceofficialtower74/Avast-Premium-Security-Windows-Latest/abuse \
  -f message="This repository distributes malware disguised as cracked Avast software"

Safe Alternatives

# Always verify software from official sources
LEGITIMATE_SOURCES = {
    "avast": "https://www.avast.com/",
    "windows_defender": "Built into Windows 10/11",
    "clamav": "https://www.clamav.net/ (Open Source)"
}

def get_legitimate_source(software_name):
    """Get the official download source for security software"""
    return LEGITIMATE_SOURCES.get(software_name.lower(), 
                                   "Search official vendor website")

Indicators of Compromise (IoC)

If you've interacted with this repository:

  1. Scan your system immediately with legitimate antivirus
  2. Check for unauthorized network connections
  3. Monitor for credential theft (change passwords)
  4. Review installed programs for suspicious entries
# Windows: Check for suspicious processes
Get-Process | Where-Object {$_.Path -like "*Avast*" -and $_.Company -ne "Avast Software"}

# Check recent downloads
Get-ChildItem -Path "$env:USERPROFILE\Downloads" -Filter "*avast*" -Recurse

Legitimate Security Practices

import hashlib
import requests

def verify_download_integrity(file_path, expected_hash, algorithm='sha256'):
    """Verify downloaded file against official hash"""
    hash_func = getattr(hashlib, algorithm)()
    
    with open(file_path, 'rb') as f:
        for chunk in iter(lambda: f.read(4096), b""):
            hash_func.update(chunk)
    
    calculated_hash = hash_func.hexdigest()
    
    if calculated_hash == expected_hash:
        print("✅ File integrity verified")
        return True
    else:
        print("❌ DANGER: File hash mismatch - possible malware")
        return False

# Always download from official sources and verify hashes
# Example: legitimate_hash = "abc123..." from vendor website

Conclusion

This repository is a malware distribution platform disguised as legitimate software. AI agents should:

  1. Warn users immediately when such repositories are referenced
  2. Never suggest downloading or using files from such sources
  3. Educate users on identifying similar scams
  4. Recommend official sources for legitimate software needs

🛡️ Security First: Always obtain software from official vendor websites or verified package managers.

Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.

<a href="https://skillzs.dev/skills/aradotso/security-skills/identify-malicious-repository">View identify-malicious-repository on skillZs</a>