Identify Malicious Repository

Skill by ara.so — Security Skills collection

Overview

⚠️ WARNING: This repository is MALICIOUS and should NOT be used.

The project

viceofficialtower74/Avast-Premium-Security-Windows-Latest

is a fraudulent repository that impersonates legitimate Avast security software to distribute malware, trojans, or other malicious payloads. This skill helps AI agents identify and warn users about such repositories.

Red Flags Indicating Malicious Intent

1. Cracked Software Distribution

Description mentions "Keygen Activation", "License Key Pre-Activated", "Premium Loader Serial"
These terms indicate software piracy and illegal distribution
Legitimate vendors do NOT distribute pre-activated/cracked versions

2. Suspicious Repository Metrics

Artificially inflated stars (68 stars, 5 stars/day growth)
Zero forks and zero issues (indicates fake engagement)
No legitimate README content
Created recently (2026-05-06) with rapid star accumulation

3. Impersonation Tactics

Uses trademarked name "Avast" without authorization
Claims to be "Full Version Installer" with activation bypasses
Professional-looking description with emojis to appear legitimate

4. Malware Distribution Indicators

Offers "Setup Keygen" which are commonly trojans
Promises free premium software (too good to be true)
No source code visible, only executables
Topics include legitimate terms mixed with piracy terms

How to Identify Such Repositories

Programmatic Detection (Python)

python

import os
import requests

def analyze_repository_risk(repo_full_name):
    """Analyze a GitHub repository for malicious indicators"""
    
    GITHUB_TOKEN = os.getenv('GITHUB_TOKEN')
    headers = {'Authorization': f'token {GITHUB_TOKEN}'} if GITHUB_TOKEN else {}
    
    api_url = f"https://api.github.com/repos/{repo_full_name}"
    response = requests.get(api_url, headers=headers)
    
    if response.status_code != 200:
        return {"error": "Repository not found"}
    
    data = response.json()
    
    risk_score = 0
    warnings = []
    
    # Check description for cracking keywords
    cracking_keywords = ['keygen', 'crack', 'pre-activated', 'loader', 
                         'serial', 'license key', 'full version']
    description = (data.get('description') or '').lower()
    
    for keyword in cracking_keywords:
        if keyword in description:
            risk_score += 15
            warnings.append(f"Description contains piracy term: '{keyword}'")
    
    # Check star-to-fork ratio (fake engagement)
    stars = data.get('stargazers_count', 0)
    forks = data.get('forks_count', 0)
    
    if stars > 50 and forks == 0:
        risk_score += 25
        warnings.append(f"Suspicious metrics: {stars} stars but {forks} forks")
    
    # Check for missing README
    readme_url = f"https://api.github.com/repos/{repo_full_name}/readme"
    readme_response = requests.get(readme_url, headers=headers)
    
    if readme_response.status_code == 404:
        risk_score += 20
        warnings.append("No README file found")
    
    # Check impersonation of known brands
    known_brands = ['avast', 'norton', 'kaspersky', 'mcafee', 'bitdefender',
                    'adobe', 'microsoft', 'autodesk', 'vmware']
    repo_name = data.get('name', '').lower()
    
    for brand in known_brands:
        if brand in repo_name and brand in description:
            risk_score += 30
            warnings.append(f"Impersonates legitimate brand: {brand}")
            break
    
    # Assess risk level
    if risk_score >= 60:
        risk_level = "CRITICAL - Likely Malicious"
    elif risk_score >= 40:
        risk_level = "HIGH - Highly Suspicious"
    elif risk_score >= 20:
        risk_level = "MEDIUM - Suspicious"
    else:
        risk_level = "LOW"
    
    return {
        "repository": repo_full_name,
        "risk_score": risk_score,
        "risk_level": risk_level,
        "warnings": warnings,
        "recommendation": "DO NOT DOWNLOAD" if risk_score >= 40 else "Investigate further"
    }


# Example usage
result = analyze_repository_risk("viceofficialtower74/Avast-Premium-Security-Windows-Latest")
print(f"Risk Level: {result['risk_level']}")
print(f"Risk Score: {result['risk_score']}/100")
print("\nWarnings:")
for warning in result['warnings']:
    print(f"  ⚠️  {warning}")
print(f"\n🛡️  Recommendation: {result['recommendation']}")

Shell Script Detection

bash

#!/bin/bash

# Check if repository exhibits malicious patterns
check_malicious_repo() {
    local repo_url="$1"
    local repo_path=$(echo "$repo_url" | sed 's|https://github.com/||')
    
    echo "🔍 Analyzing repository: $repo_path"
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    
    # Fetch repository data
    local api_response=$(curl -s "https://api.github.com/repos/$repo_path")
    
    # Extract key fields
    local description=$(echo "$api_response" | jq -r '.description // ""')
    local stars=$(echo "$api_response" | jq -r '.stargazers_count // 0')
    local forks=$(echo "$api_response" | jq -r '.forks_count // 0')
    local issues=$(echo "$api_response" | jq -r '.open_issues_count // 0')
    
    # Check for red flags
    local risk_found=false
    
    if echo "$description" | grep -iE 'keygen|crack|loader|pre-activated|serial|license key' > /dev/null; then
        echo "❌ DANGER: Description contains software piracy terms"
        risk_found=true
    fi
    
    if [ "$stars" -gt 30 ] && [ "$forks" -eq 0 ]; then
        echo "❌ DANGER: Artificial star inflation detected ($stars stars, $forks forks)"
        risk_found=true
    fi
    
    if echo "$repo_path" | grep -iE 'avast|norton|adobe|microsoft|vmware|autodesk' > /dev/null; then
        echo "❌ DANGER: Impersonates well-known software brand"
        risk_found=true
    fi
    
    if [ "$risk_found" = true ]; then
        echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
        echo "🚨 VERDICT: MALICIOUS REPOSITORY DETECTED"
        echo "⛔ DO NOT CLONE OR DOWNLOAD FROM THIS REPOSITORY"
        return 1
    else
        echo "✅ No obvious malicious indicators found"
        return 0
    fi
}

# Example usage
check_malicious_repo "https://github.com/viceofficialtower74/Avast-Premium-Security-Windows-Latest"

What Users Should Do

If You Encounter Such Repositories:

DO NOT download any files from the repository
Report the repository to GitHub via their abuse form
Warn others by creating awareness
Scan your system if you already downloaded files

Reporting to GitHub

bash

# Report via GitHub CLI
gh api \
  --method POST \
  -H "Accept: application/vnd.github+json" \
  /repos/viceofficialtower74/Avast-Premium-Security-Windows-Latest/abuse \
  -f message="This repository distributes malware disguised as cracked Avast software"

Safe Alternatives

python

# Always verify software from official sources
LEGITIMATE_SOURCES = {
    "avast": "https://www.avast.com/",
    "windows_defender": "Built into Windows 10/11",
    "clamav": "https://www.clamav.net/ (Open Source)"
}

def get_legitimate_source(software_name):
    """Get the official download source for security software"""
    return LEGITIMATE_SOURCES.get(software_name.lower(), 
                                   "Search official vendor website")

Indicators of Compromise (IoC)

If you've interacted with this repository:

Scan your system immediately with legitimate antivirus
Check for unauthorized network connections
Monitor for credential theft (change passwords)
Review installed programs for suspicious entries

powershell

# Windows: Check for suspicious processes
Get-Process | Where-Object {$_.Path -like "*Avast*" -and $_.Company -ne "Avast Software"}

# Check recent downloads
Get-ChildItem -Path "$env:USERPROFILE\Downloads" -Filter "*avast*" -Recurse

Legitimate Security Practices

python

import hashlib
import requests

def verify_download_integrity(file_path, expected_hash, algorithm='sha256'):
    """Verify downloaded file against official hash"""
    hash_func = getattr(hashlib, algorithm)()
    
    with open(file_path, 'rb') as f:
        for chunk in iter(lambda: f.read(4096), b""):
            hash_func.update(chunk)
    
    calculated_hash = hash_func.hexdigest()
    
    if calculated_hash == expected_hash:
        print("✅ File integrity verified")
        return True
    else:
        print("❌ DANGER: File hash mismatch - possible malware")
        return False

# Always download from official sources and verify hashes
# Example: legitimate_hash = "abc123..." from vendor website

Conclusion

This repository is a malware distribution platform disguised as legitimate software. AI agents should:

Warn users immediately when such repositories are referenced
Never suggest downloading or using files from such sources
Educate users on identifying similar scams
Recommend official sources for legitimate software needs

🛡️ Security First: Always obtain software from official vendor websites or verified package managers.

identify-malicious-repository

NPX Install

Tags

SKILL.md Content

Identify Malicious Repository

Overview

Red Flags Indicating Malicious Intent

1. Cracked Software Distribution

2. Suspicious Repository Metrics

3. Impersonation Tactics

4. Malware Distribution Indicators

How to Identify Such Repositories

Programmatic Detection (Python)

Shell Script Detection

What Users Should Do

If You Encounter Such Repositories:

Reporting to GitHub

Safe Alternatives

Indicators of Compromise (IoC)

Legitimate Security Practices

Conclusion