report-malicious-repository
Identify and report potentially malicious software repositories masquerading as legitimate security tools
How do I install this agent skill?
npx skills add https://github.com/aradotso/security-skills --skill report-malicious-repositoryIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill provides instructions and code templates for identifying and reporting malicious software repositories on GitHub. It includes patterns for detecting red flags like piracy keywords, brand impersonation, and suspicious repository metadata.
- Socketpass
No alerts
- Snykwarn
Risk: MEDIUM · 1 issue
What does this agent skill do?
Report Malicious Repository
Skill by ara.so — Security Skills collection.
⚠️ WARNING: This Repository is Malicious
The project DragonflyTomb/Avast-Premium-Security-2026 is NOT legitimate software. This is a malicious repository designed to distribute malware, trojans, or phishing attacks by:
- Claiming to offer "cracked" or "pre-activated" commercial software
- Including terms like "keygen", "loader", "serial" in the description
- Impersonating legitimate security software (Avast)
- Using deceptive tactics (fake stars, professional-looking descriptions)
Identifying Malicious Repositories
Red Flags
- Piracy Keywords: keygen, crack, loader, serial, pre-activated, license key
- Too Good to Be True: Free versions of expensive commercial software
- Suspicious Topics: Mixing legitimate topics (retdec) with piracy terms
- No Source Code: Empty or minimal repository with download links
- Recent Creation: New accounts with inflated star counts
- Impersonation: Using brand names (Avast, Norton, etc.) without authorization
Analysis Pattern
package main
import (
"strings"
"regexp"
)
type RepoAnalysis struct {
IsSuspicious bool
RedFlags []string
RiskLevel string
}
func AnalyzeRepository(description, topics string, hasReadme bool, age int) RepoAnalysis {
analysis := RepoAnalysis{
RedFlags: []string{},
}
suspiciousKeywords := []string{
"keygen", "crack", "loader", "serial", "pre-activated",
"license key", "full version", "premium", "activation",
}
lowerDesc := strings.ToLower(description)
// Check for piracy keywords
for _, keyword := range suspiciousKeywords {
if strings.Contains(lowerDesc, keyword) {
analysis.RedFlags = append(analysis.RedFlags, "Piracy keyword: "+keyword)
analysis.IsSuspicious = true
}
}
// Check for brand impersonation
brands := []string{"avast", "norton", "mcafee", "kaspersky", "bitdefender"}
for _, brand := range brands {
if strings.Contains(lowerDesc, brand) {
analysis.RedFlags = append(analysis.RedFlags, "Brand impersonation: "+brand)
}
}
// Check for missing README
if !hasReadme {
analysis.RedFlags = append(analysis.RedFlags, "No README file")
analysis.IsSuspicious = true
}
// Check repository age vs stars
if age < 14 {
analysis.RedFlags = append(analysis.RedFlags, "Suspiciously new repository")
}
// Determine risk level
if len(analysis.RedFlags) >= 3 {
analysis.RiskLevel = "CRITICAL"
} else if len(analysis.RedFlags) >= 2 {
analysis.RiskLevel = "HIGH"
} else if analysis.IsSuspicious {
analysis.RiskLevel = "MEDIUM"
} else {
analysis.RiskLevel = "LOW"
}
return analysis
}
Reporting Malicious Repositories
GitHub Reporting Process
- Navigate to the repository
- Click the repository name to go to the main page
- Look for the three dots menu (⋯) or scroll to bottom
- Select "Report repository" or visit:
https://github.com/contact/report-content
Report Template
Repository: [USERNAME/REPO-NAME]
Issue Type: Malware/Phishing/Copyright Infringement
Description:
This repository is distributing malicious software disguised as cracked/pirated
commercial antivirus software. It contains:
- Claims of "keygen", "pre-activated", "license key" for Avast Premium Security
- No legitimate source code
- Impersonation of Avast brand
- Likely contains malware, trojans, or ransomware
Evidence:
- Repository description contains piracy keywords
- No README or source code provided
- Uses deceptive branding
Requested Action: Immediate takedown and account suspension
Automated Reporting Script
package main
import (
"bytes"
"encoding/json"
"fmt"
"net/http"
"os"
)
type GitHubReport struct {
Subject string `json:"subject"`
SubjectType string `json:"subject_type"`
Message string `json:"message"`
}
func ReportToGitHub(repoFullName, reason string) error {
// NOTE: GitHub doesn't have a public API for abuse reports
// This is a conceptual example - actual reporting must be done via web form
reportURL := "https://github.com/contact/report-content"
fmt.Printf("⚠️ MALICIOUS REPOSITORY DETECTED\n")
fmt.Printf("Repository: %s\n", repoFullName)
fmt.Printf("Reason: %s\n\n", reason)
fmt.Printf("Please report manually at: %s\n", reportURL)
fmt.Printf("Include repository URL and reason above.\n")
return nil
}
// Scan repository metadata for red flags
func ScanRepository(owner, repo string) error {
githubToken := os.Getenv("GITHUB_TOKEN")
if githubToken == "" {
return fmt.Errorf("GITHUB_TOKEN environment variable required")
}
url := fmt.Sprintf("https://api.github.com/repos/%s/%s", owner, repo)
req, _ := http.NewRequest("GET", url, nil)
req.Header.Set("Authorization", "Bearer "+githubToken)
req.Header.Set("Accept", "application/vnd.github+json")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
return err
}
defer resp.Body.Close()
var repoData map[string]interface{}
json.NewDecoder(resp.Body).Decode(&repoData)
description := repoData["description"].(string)
analysis := AnalyzeRepository(description, "", false, 10)
if analysis.RiskLevel == "CRITICAL" || analysis.RiskLevel == "HIGH" {
fmt.Printf("🚨 ALERT: %s risk repository detected!\n", analysis.RiskLevel)
for _, flag := range analysis.RedFlags {
fmt.Printf(" - %s\n", flag)
}
return ReportToGitHub(owner+"/"+repo, "Malware distribution")
}
return nil
}
Protection Measures
For Developers
// Add to your dependency scanning
func ValidateDependency(repoURL string) bool {
// Check against known malware lists
// Verify package signatures
// Analyze repository metadata
blacklist := []string{
"keygen", "crack", "loader", "premium-loader",
}
for _, term := range blacklist {
if strings.Contains(strings.ToLower(repoURL), term) {
return false
}
}
return true
}
For Organizations
- Block suspicious patterns in CI/CD
- Implement dependency scanning tools
- Educate developers about social engineering
- Use verified sources only (official registries)
Common Attack Patterns
- Typosquatting: Similar names to legitimate projects
- Brand Impersonation: Using well-known software names
- SEO Manipulation: Keyword stuffing for search visibility
- Social Engineering: Fake stars, professional appearance
- Trojan Distribution: Executable files disguised as installers
Legitimate Alternatives
For actual Avast software:
- Official website: https://www.avast.com
- Official GitHub (if any): Verify through company website
- Licensed purchases only through authorized channels
Resources
- GitHub Abuse Report: https://github.com/contact/report-content
- DMCA Takedown: https://github.com/contact/dmca
- US-CERT: https://www.cisa.gov/report
- Anti-Phishing Working Group: https://apwg.org/reportphishing/
Remember: Never download "cracked" or "pre-activated" security software. It ALWAYS contains malware.
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/aradotso/security-skills/report-malicious-repository">View report-malicious-repository on skillZs</a>