skillZs
LIVE SKILL TAGS
>>> LIVE SKILLS INDEX <<<
* OPEN SOURCE *
NO LOGIN, NO TRACKING
REAL INSTALL DATA
← back to all skills
aradotso/security-skills914 installs

security-awareness-malicious-repository-detection

Detect and analyze potentially malicious repositories disguising as legitimate software cracks or pirated tools

How do I install this agent skill?

npx skills add https://github.com/aradotso/security-skills --skill security-awareness-malicious-repository-detection
view source ↗

Is this agent skill safe to install?

  • Gen Agent Trust Hubpass

    This skill is a security awareness tool designed to identify malicious GitHub repositories disguised as legitimate software cracks. It provides heuristics and Go code examples for detecting deceptive patterns and artificial engagement. The security risk is classified as LOW due to the inherent indirect prompt injection surface created when an agent processes untrusted external metadata (repository descriptions and topics) without explicit boundary markers or robust input sanitization.

  • Socketpass

    No alerts

  • Snykwarn

    Risk: MEDIUM · 2 issues

What does this agent skill do?

Security Awareness: Malicious Repository Detection

Skill by ara.so — Security Skills collection.

⚠️ CRITICAL WARNING

This repository is a MALICIOUS PROJECT distributing malware disguised as cracked security software.

Threat Indicators Present

  1. Impersonation: Claims to be "Bitdefender Total Security Crack" - legitimate security vendors do not distribute cracks
  2. Suspicious Topics: Includes "defender-bypass", "thread-hijacking", "exploit-mitigation" alongside crack-related terms
  3. Star Manipulation: 59 stars at 3 stars/day suggests artificial inflation
  4. No Legitimate Code: No README, likely contains payload downloaders
  5. Red Flag Language: "Pre-Activated", "Keygen Loader", "Crack" combined with antivirus software
  6. Future Dating: Created date shows 2026 (timestamp manipulation or test data)

What This Actually Is

This is a malware distribution vector using common social engineering tactics:

  • Lure: Free premium security software
  • Method: Fake crack/keygen
  • Payload: Likely infostealers, ransomware, or backdoors
  • Target: Users searching for pirated antivirus software

Detection Patterns

Repository Red Flags

package detector

import (
    "strings"
    "regexp"
)

type ThreatIndicators struct {
    SuspiciousKeywords []string
    MaliciousPatterns  []string
    RiskScore         int
}

func AnalyzeRepository(description, topics []string) ThreatIndicators {
    indicators := ThreatIndicators{}
    
    // Crack/Piracy keywords
    crackKeywords := []string{
        "crack", "keygen", "pre-activated", "activation",
        "loader", "full version", "license key", "bypass",
    }
    
    // Technical exploit terms
    exploitTerms := []string{
        "defender-bypass", "thread-hijacking", "rootkit",
        "exploit-mitigation", "heuristic-analysis",
    }
    
    descLower := strings.ToLower(description)
    
    for _, keyword := range crackKeywords {
        if strings.Contains(descLower, keyword) {
            indicators.SuspiciousKeywords = append(indicators.SuspiciousKeywords, keyword)
            indicators.RiskScore += 15
        }
    }
    
    for _, term := range exploitTerms {
        for _, topic := range topics {
            if strings.Contains(strings.ToLower(topic), term) {
                indicators.MaliciousPatterns = append(indicators.MaliciousPatterns, term)
                indicators.RiskScore += 20
            }
        }
    }
    
    // Legitimate security software being "cracked"
    legitimateSoftware := []string{"bitdefender", "kaspersky", "norton", "mcafee"}
    for _, software := range legitimateSoftware {
        if strings.Contains(descLower, software) && strings.Contains(descLower, "crack") {
            indicators.RiskScore += 30
        }
    }
    
    return indicators
}

func IsMalicious(indicators ThreatIndicators) bool {
    return indicators.RiskScore >= 50
}

Usage Example

package main

import (
    "fmt"
    "os"
)

func main() {
    description := "Bitdefender Total Security Crack 2026 | Full Version License Key Pre-Activated"
    topics := []string{
        "bitdefender",
        "defender-bypass",
        "thread-hijacking",
        "malware-scanner",
    }
    
    indicators := AnalyzeRepository(description, topics)
    
    fmt.Printf("Risk Score: %d\n", indicators.RiskScore)
    fmt.Printf("Suspicious Keywords: %v\n", indicators.SuspiciousKeywords)
    fmt.Printf("Malicious Patterns: %v\n", indicators.MaliciousPatterns)
    
    if IsMalicious(indicators) {
        fmt.Println("\n⚠️  HIGH RISK: This repository exhibits malware distribution patterns")
        fmt.Println("DO NOT download or execute any files from this source")
        os.Exit(1)
    }
}

Automated Scanning

package scanner

import (
    "context"
    "encoding/json"
    "fmt"
    "net/http"
    "os"
)

type GitHubRepo struct {
    Description string   `json:"description"`
    Topics      []string `json:"topics"`
    Stars       int      `json:"stargazers_count"`
    CreatedAt   string   `json:"created_at"`
    Language    string   `json:"language"`
}

func ScanGitHubRepo(owner, repo string) (*ThreatIndicators, error) {
    apiURL := fmt.Sprintf("https://api.github.com/repos/%s/%s", owner, repo)
    
    req, _ := http.NewRequestWithContext(context.Background(), "GET", apiURL, nil)
    req.Header.Set("Accept", "application/vnd.github.v3+json")
    
    // Use GitHub token if available
    if token := os.Getenv("GITHUB_TOKEN"); token != "" {
        req.Header.Set("Authorization", "Bearer "+token)
    }
    
    resp, err := http.DefaultClient.Do(req)
    if err != nil {
        return nil, err
    }
    defer resp.Body.Close()
    
    var repoData GitHubRepo
    if err := json.NewDecoder(resp.Body).Decode(&repoData); err != nil {
        return nil, err
    }
    
    indicators := AnalyzeRepository(repoData.Description, repoData.Topics)
    
    // Additional checks
    if repoData.Stars > 0 {
        // Rapid star growth can indicate manipulation
        indicators.MaliciousPatterns = append(indicators.MaliciousPatterns, "potential-star-manipulation")
    }
    
    return &indicators, nil
}

Protection Recommendations

For Developers

// Add to your CI/CD pipeline
package main

func PreCommitCheck() {
    blockedPatterns := []string{
        "crack", "keygen", "pirate", "warez",
        "bypass", "nulled", "pre-activated",
    }
    
    // Check repository description and README
    for _, pattern := range blockedPatterns {
        // Implement scanning logic
        fmt.Printf("Scanning for pattern: %s\n", pattern)
    }
}

For Users

NEVER:

  • Download "cracked" security software
  • Execute files from repositories like this
  • Disable antivirus to run "activators"
  • Trust repositories with no legitimate code

ALWAYS:

  • Use official software sources
  • Verify publisher signatures
  • Check repository legitimacy
  • Report malicious repositories

Reporting Malicious Repositories

# Report to GitHub
# Visit: https://github.com/contact/report-abuse

# Report to security vendors
# Bitdefender: https://www.bitdefender.com/consumer/support/
# Microsoft: https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site

Legitimate Alternatives

package alternatives

// How to actually get security software safely
type LegitimateSource struct {
    Vendor   string
    URL      string
    FreeTier bool
}

var LegitSources = []LegitimateSource{
    {Vendor: "Bitdefender", URL: "https://www.bitdefender.com", FreeTier: true},
    {Vendor: "Windows Defender", URL: "Built-in", FreeTier: true},
    {Vendor: "Malwarebytes", URL: "https://www.malwarebytes.com", FreeTier: true},
}

Educational Purpose

This skill exists to educate developers and AI agents about identifying malicious repositories that:

  1. Impersonate legitimate software
  2. Use SEO-optimized descriptions to appear in searches
  3. Distribute malware through social engineering
  4. Target users seeking pirated software

The original repository should be avoided entirely and reported to GitHub.

Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.

<a href="https://skillzs.dev/skills/aradotso/security-skills/security-awareness-malicious-repository-detection">View security-awareness-malicious-repository-detection on skillZs</a>