skillZs
LIVE SKILL TAGS
>>> LIVE SKILLS INDEX <<<
* OPEN SOURCE *
NO LOGIN, NO TRACKING
REAL INSTALL DATA
← back to all skills
aradotso/security-skills932 installs

report-malicious-repository

Identify and report potentially malicious software repositories masquerading as legitimate security tools

How do I install this agent skill?

npx skills add https://github.com/aradotso/security-skills --skill report-malicious-repository
view source ↗

Is this agent skill safe to install?

  • Gen Agent Trust Hubpass

    This skill provides instructions and code templates for identifying and reporting malicious software repositories on GitHub. It includes patterns for detecting red flags like piracy keywords, brand impersonation, and suspicious repository metadata.

  • Socketpass

    No alerts

  • Snykwarn

    Risk: MEDIUM · 1 issue

What does this agent skill do?

Report Malicious Repository

Skill by ara.so — Security Skills collection.

⚠️ WARNING: This Repository is Malicious

The project DragonflyTomb/Avast-Premium-Security-2026 is NOT legitimate software. This is a malicious repository designed to distribute malware, trojans, or phishing attacks by:

  • Claiming to offer "cracked" or "pre-activated" commercial software
  • Including terms like "keygen", "loader", "serial" in the description
  • Impersonating legitimate security software (Avast)
  • Using deceptive tactics (fake stars, professional-looking descriptions)

Identifying Malicious Repositories

Red Flags

  1. Piracy Keywords: keygen, crack, loader, serial, pre-activated, license key
  2. Too Good to Be True: Free versions of expensive commercial software
  3. Suspicious Topics: Mixing legitimate topics (retdec) with piracy terms
  4. No Source Code: Empty or minimal repository with download links
  5. Recent Creation: New accounts with inflated star counts
  6. Impersonation: Using brand names (Avast, Norton, etc.) without authorization

Analysis Pattern

package main

import (
    "strings"
    "regexp"
)

type RepoAnalysis struct {
    IsSuspicious bool
    RedFlags     []string
    RiskLevel    string
}

func AnalyzeRepository(description, topics string, hasReadme bool, age int) RepoAnalysis {
    analysis := RepoAnalysis{
        RedFlags: []string{},
    }
    
    suspiciousKeywords := []string{
        "keygen", "crack", "loader", "serial", "pre-activated",
        "license key", "full version", "premium", "activation",
    }
    
    lowerDesc := strings.ToLower(description)
    
    // Check for piracy keywords
    for _, keyword := range suspiciousKeywords {
        if strings.Contains(lowerDesc, keyword) {
            analysis.RedFlags = append(analysis.RedFlags, "Piracy keyword: "+keyword)
            analysis.IsSuspicious = true
        }
    }
    
    // Check for brand impersonation
    brands := []string{"avast", "norton", "mcafee", "kaspersky", "bitdefender"}
    for _, brand := range brands {
        if strings.Contains(lowerDesc, brand) {
            analysis.RedFlags = append(analysis.RedFlags, "Brand impersonation: "+brand)
        }
    }
    
    // Check for missing README
    if !hasReadme {
        analysis.RedFlags = append(analysis.RedFlags, "No README file")
        analysis.IsSuspicious = true
    }
    
    // Check repository age vs stars
    if age < 14 {
        analysis.RedFlags = append(analysis.RedFlags, "Suspiciously new repository")
    }
    
    // Determine risk level
    if len(analysis.RedFlags) >= 3 {
        analysis.RiskLevel = "CRITICAL"
    } else if len(analysis.RedFlags) >= 2 {
        analysis.RiskLevel = "HIGH"
    } else if analysis.IsSuspicious {
        analysis.RiskLevel = "MEDIUM"
    } else {
        analysis.RiskLevel = "LOW"
    }
    
    return analysis
}

Reporting Malicious Repositories

GitHub Reporting Process

  1. Navigate to the repository
  2. Click the repository name to go to the main page
  3. Look for the three dots menu (⋯) or scroll to bottom
  4. Select "Report repository" or visit: https://github.com/contact/report-content

Report Template

Repository: [USERNAME/REPO-NAME]

Issue Type: Malware/Phishing/Copyright Infringement

Description:
This repository is distributing malicious software disguised as cracked/pirated 
commercial antivirus software. It contains:
- Claims of "keygen", "pre-activated", "license key" for Avast Premium Security
- No legitimate source code
- Impersonation of Avast brand
- Likely contains malware, trojans, or ransomware

Evidence:
- Repository description contains piracy keywords
- No README or source code provided
- Uses deceptive branding

Requested Action: Immediate takedown and account suspension

Automated Reporting Script

package main

import (
    "bytes"
    "encoding/json"
    "fmt"
    "net/http"
    "os"
)

type GitHubReport struct {
    Subject     string `json:"subject"`
    SubjectType string `json:"subject_type"`
    Message     string `json:"message"`
}

func ReportToGitHub(repoFullName, reason string) error {
    // NOTE: GitHub doesn't have a public API for abuse reports
    // This is a conceptual example - actual reporting must be done via web form
    
    reportURL := "https://github.com/contact/report-content"
    
    fmt.Printf("⚠️  MALICIOUS REPOSITORY DETECTED\n")
    fmt.Printf("Repository: %s\n", repoFullName)
    fmt.Printf("Reason: %s\n\n", reason)
    fmt.Printf("Please report manually at: %s\n", reportURL)
    fmt.Printf("Include repository URL and reason above.\n")
    
    return nil
}

// Scan repository metadata for red flags
func ScanRepository(owner, repo string) error {
    githubToken := os.Getenv("GITHUB_TOKEN")
    if githubToken == "" {
        return fmt.Errorf("GITHUB_TOKEN environment variable required")
    }
    
    url := fmt.Sprintf("https://api.github.com/repos/%s/%s", owner, repo)
    
    req, _ := http.NewRequest("GET", url, nil)
    req.Header.Set("Authorization", "Bearer "+githubToken)
    req.Header.Set("Accept", "application/vnd.github+json")
    
    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
        return err
    }
    defer resp.Body.Close()
    
    var repoData map[string]interface{}
    json.NewDecoder(resp.Body).Decode(&repoData)
    
    description := repoData["description"].(string)
    
    analysis := AnalyzeRepository(description, "", false, 10)
    
    if analysis.RiskLevel == "CRITICAL" || analysis.RiskLevel == "HIGH" {
        fmt.Printf("🚨 ALERT: %s risk repository detected!\n", analysis.RiskLevel)
        for _, flag := range analysis.RedFlags {
            fmt.Printf("  - %s\n", flag)
        }
        return ReportToGitHub(owner+"/"+repo, "Malware distribution")
    }
    
    return nil
}

Protection Measures

For Developers

// Add to your dependency scanning
func ValidateDependency(repoURL string) bool {
    // Check against known malware lists
    // Verify package signatures
    // Analyze repository metadata
    
    blacklist := []string{
        "keygen", "crack", "loader", "premium-loader",
    }
    
    for _, term := range blacklist {
        if strings.Contains(strings.ToLower(repoURL), term) {
            return false
        }
    }
    
    return true
}

For Organizations

  1. Block suspicious patterns in CI/CD
  2. Implement dependency scanning tools
  3. Educate developers about social engineering
  4. Use verified sources only (official registries)

Common Attack Patterns

  • Typosquatting: Similar names to legitimate projects
  • Brand Impersonation: Using well-known software names
  • SEO Manipulation: Keyword stuffing for search visibility
  • Social Engineering: Fake stars, professional appearance
  • Trojan Distribution: Executable files disguised as installers

Legitimate Alternatives

For actual Avast software:

  • Official website: https://www.avast.com
  • Official GitHub (if any): Verify through company website
  • Licensed purchases only through authorized channels

Resources

Remember: Never download "cracked" or "pre-activated" security software. It ALWAYS contains malware.

Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.

<a href="https://skillzs.dev/skills/aradotso/security-skills/report-malicious-repository">View report-malicious-repository on skillZs</a>