security-awareness-malicious-repository-detection
Detect and analyze potentially malicious repositories disguising as legitimate software cracks or pirated tools
How do I install this agent skill?
npx skills add https://github.com/aradotso/security-skills --skill security-awareness-malicious-repository-detectionIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill is a security awareness tool designed to identify malicious GitHub repositories disguised as legitimate software cracks. It provides heuristics and Go code examples for detecting deceptive patterns and artificial engagement. The security risk is classified as LOW due to the inherent indirect prompt injection surface created when an agent processes untrusted external metadata (repository descriptions and topics) without explicit boundary markers or robust input sanitization.
- Socketpass
No alerts
- Snykwarn
Risk: MEDIUM · 2 issues
What does this agent skill do?
Security Awareness: Malicious Repository Detection
Skill by ara.so — Security Skills collection.
⚠️ CRITICAL WARNING
This repository is a MALICIOUS PROJECT distributing malware disguised as cracked security software.
Threat Indicators Present
- Impersonation: Claims to be "Bitdefender Total Security Crack" - legitimate security vendors do not distribute cracks
- Suspicious Topics: Includes "defender-bypass", "thread-hijacking", "exploit-mitigation" alongside crack-related terms
- Star Manipulation: 59 stars at 3 stars/day suggests artificial inflation
- No Legitimate Code: No README, likely contains payload downloaders
- Red Flag Language: "Pre-Activated", "Keygen Loader", "Crack" combined with antivirus software
- Future Dating: Created date shows 2026 (timestamp manipulation or test data)
What This Actually Is
This is a malware distribution vector using common social engineering tactics:
- Lure: Free premium security software
- Method: Fake crack/keygen
- Payload: Likely infostealers, ransomware, or backdoors
- Target: Users searching for pirated antivirus software
Detection Patterns
Repository Red Flags
package detector
import (
"strings"
"regexp"
)
type ThreatIndicators struct {
SuspiciousKeywords []string
MaliciousPatterns []string
RiskScore int
}
func AnalyzeRepository(description, topics []string) ThreatIndicators {
indicators := ThreatIndicators{}
// Crack/Piracy keywords
crackKeywords := []string{
"crack", "keygen", "pre-activated", "activation",
"loader", "full version", "license key", "bypass",
}
// Technical exploit terms
exploitTerms := []string{
"defender-bypass", "thread-hijacking", "rootkit",
"exploit-mitigation", "heuristic-analysis",
}
descLower := strings.ToLower(description)
for _, keyword := range crackKeywords {
if strings.Contains(descLower, keyword) {
indicators.SuspiciousKeywords = append(indicators.SuspiciousKeywords, keyword)
indicators.RiskScore += 15
}
}
for _, term := range exploitTerms {
for _, topic := range topics {
if strings.Contains(strings.ToLower(topic), term) {
indicators.MaliciousPatterns = append(indicators.MaliciousPatterns, term)
indicators.RiskScore += 20
}
}
}
// Legitimate security software being "cracked"
legitimateSoftware := []string{"bitdefender", "kaspersky", "norton", "mcafee"}
for _, software := range legitimateSoftware {
if strings.Contains(descLower, software) && strings.Contains(descLower, "crack") {
indicators.RiskScore += 30
}
}
return indicators
}
func IsMalicious(indicators ThreatIndicators) bool {
return indicators.RiskScore >= 50
}
Usage Example
package main
import (
"fmt"
"os"
)
func main() {
description := "Bitdefender Total Security Crack 2026 | Full Version License Key Pre-Activated"
topics := []string{
"bitdefender",
"defender-bypass",
"thread-hijacking",
"malware-scanner",
}
indicators := AnalyzeRepository(description, topics)
fmt.Printf("Risk Score: %d\n", indicators.RiskScore)
fmt.Printf("Suspicious Keywords: %v\n", indicators.SuspiciousKeywords)
fmt.Printf("Malicious Patterns: %v\n", indicators.MaliciousPatterns)
if IsMalicious(indicators) {
fmt.Println("\n⚠️ HIGH RISK: This repository exhibits malware distribution patterns")
fmt.Println("DO NOT download or execute any files from this source")
os.Exit(1)
}
}
Automated Scanning
package scanner
import (
"context"
"encoding/json"
"fmt"
"net/http"
"os"
)
type GitHubRepo struct {
Description string `json:"description"`
Topics []string `json:"topics"`
Stars int `json:"stargazers_count"`
CreatedAt string `json:"created_at"`
Language string `json:"language"`
}
func ScanGitHubRepo(owner, repo string) (*ThreatIndicators, error) {
apiURL := fmt.Sprintf("https://api.github.com/repos/%s/%s", owner, repo)
req, _ := http.NewRequestWithContext(context.Background(), "GET", apiURL, nil)
req.Header.Set("Accept", "application/vnd.github.v3+json")
// Use GitHub token if available
if token := os.Getenv("GITHUB_TOKEN"); token != "" {
req.Header.Set("Authorization", "Bearer "+token)
}
resp, err := http.DefaultClient.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
var repoData GitHubRepo
if err := json.NewDecoder(resp.Body).Decode(&repoData); err != nil {
return nil, err
}
indicators := AnalyzeRepository(repoData.Description, repoData.Topics)
// Additional checks
if repoData.Stars > 0 {
// Rapid star growth can indicate manipulation
indicators.MaliciousPatterns = append(indicators.MaliciousPatterns, "potential-star-manipulation")
}
return &indicators, nil
}
Protection Recommendations
For Developers
// Add to your CI/CD pipeline
package main
func PreCommitCheck() {
blockedPatterns := []string{
"crack", "keygen", "pirate", "warez",
"bypass", "nulled", "pre-activated",
}
// Check repository description and README
for _, pattern := range blockedPatterns {
// Implement scanning logic
fmt.Printf("Scanning for pattern: %s\n", pattern)
}
}
For Users
NEVER:
- Download "cracked" security software
- Execute files from repositories like this
- Disable antivirus to run "activators"
- Trust repositories with no legitimate code
ALWAYS:
- Use official software sources
- Verify publisher signatures
- Check repository legitimacy
- Report malicious repositories
Reporting Malicious Repositories
# Report to GitHub
# Visit: https://github.com/contact/report-abuse
# Report to security vendors
# Bitdefender: https://www.bitdefender.com/consumer/support/
# Microsoft: https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site
Legitimate Alternatives
package alternatives
// How to actually get security software safely
type LegitimateSource struct {
Vendor string
URL string
FreeTier bool
}
var LegitSources = []LegitimateSource{
{Vendor: "Bitdefender", URL: "https://www.bitdefender.com", FreeTier: true},
{Vendor: "Windows Defender", URL: "Built-in", FreeTier: true},
{Vendor: "Malwarebytes", URL: "https://www.malwarebytes.com", FreeTier: true},
}
Educational Purpose
This skill exists to educate developers and AI agents about identifying malicious repositories that:
- Impersonate legitimate software
- Use SEO-optimized descriptions to appear in searches
- Distribute malware through social engineering
- Target users seeking pirated software
The original repository should be avoided entirely and reported to GitHub.
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/aradotso/security-skills/security-awareness-malicious-repository-detection">View security-awareness-malicious-repository-detection on skillZs</a>