yourvpndead-vpn-detection

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The presence of pre-built APKs on a small/unfamiliar GitHub repository (loop-uh/yourvpndead) and an unvetted short domain (ara.so) makes these sources moderately suspicious for distributing malware (GitHub Releases and clone URLs can carry unsigned/unknown executables), while http://127.0.0.1:$port is just a localhost endpoint (not a remote download) but is used by the tool to probe local services — verify the repo's reputation, inspect source code, and avoid installing untrusted APKs before running.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill is explicitly designed to discover and exploit unauthenticated local SOCKS5/HTTP/gRPC proxies and local APIs to deanonymize VPN users, enumerate installed VPN apps, extract exit IPs and active destination IPs, and even demonstrate brute-force/auth-probing — behavior that enables deliberate data exfiltration, credential abuse, and targeted deanonymization of users.