DEV Community

Akhouri Anmol Kumar
Akhouri Anmol Kumar

Posted on

GitHub Copilot flagged my security app as dangerous. Here's my technical response to every concern.

Someone ran GitHub Copilot's security scan on ATLOCK
and got this:

✗ No digital signature verification
✗ No source code audit possible

✗ Uncontrolled system-level access
✗ Network communication with unknown purpose
✗ Potential for data exfiltration via keyboard hooks
✗ README just says "trust me bro"

Fair concerns. Let me address every single one.

"No digital signature"

Correct. Code signing certificates cost $200-500/year.

I am 13 years old.
I have zero revenue.

Microsoft's own Sysinternals tools were unsigned
for years. Mark Russinovich built them solo.
People still used them.

Unsigned ≠ malicious.
It means indie developer with no budget.

"No source code audit possible"

The entire source code is on GitHub.
Right now.
Public.
Anyone can read it.

What Copilot actually means is it hasn't been
audited by a paid firm.

Neither has most open source software you use daily.

"Uncontrolled system-level access"

This is literally the feature.

ATLOCK uses WH_KEYBOARD_LL — a standard documented
Windows API — to block Alt+Tab and Win key.

Every parental control app does this.
Every kiosk software does this.
Windows itself exposes this API for exactly this purpose.

"Uncontrolled" is Copilot's way of saying
"I don't understand the intent."

"Network communication with unknown purpose"

ATLOCK has zero network code.

Zero.

grep the source for any of these:

  • socket
  • requests
  • urllib
  • http
  • network

You will find nothing.

The Password Vault is encrypted and stored locally.
No cloud. No sync. No internet.

"Data exfiltration via keyboard hooks"

This is the most dramatic one.

Yes — ATLOCK intercepts keystrokes.
That's how it blocks Alt+Tab.

No — it does not log or transmit them.

The hook intercepts, checks if the key is
Alt+Tab/Win/Alt+F4, and if so — blocks it.
That's the entire logic. Read it yourself.

Keyloggers exfiltrate. ATLOCK blocks.
Same API. Different intent. Readable in the code.


The real issue

Copilot flagged ATLOCK because it uses powerful APIs.

Powerful APIs look scary to automated scanners
that judge capability, not intent.

A knife looks dangerous.
A surgeon's scalpel looks dangerous.
Context matters.

ATLOCK uses system-level APIs to do exactly
what it says it does — lock your system in a way
that can't be trivially bypassed.

If that makes you uncomfortable — don't use it.

If you actually read the source code and find
malicious behavior — file an issue.
I will fix it within 24 hours.


13 years old. India. Solo developer.
Akhouri Systems.

Source: https://github.com/Akhouri-Anmol-Kumar/ATLOCK
Website-https://akhouri-anmol-kumar.github.io/Akhouri-systems/

We build what others forgot to fix.

Top comments (8)

Collapse
 
technogamerz profile image
𝕋𝕙𝕖 𝕃𝕒𝕫𝕪 𝔾𝕚𝕣𝕝

You're doing great, Anmol! I hope you'll achieve your goal by the time your birthday comes around. Wishing you the very best!

Collapse
 
akhourianmolkumar profile image
Akhouri Anmol Kumar

Thanks.

Collapse
 
technogamerz profile image
𝕋𝕙𝕖 𝕃𝕒𝕫𝕪 𝔾𝕚𝕣𝕝

How many downloads are there now?

Thread Thread
 
akhourianmolkumar profile image
Akhouri Anmol Kumar

310 total, Alone ATLOCK contributing with 127 and rest other 3 apps are contributing. future projections within this week 400 downloads projected. and I have now changed my goal now till 31 august(my birthday) my target is not 500 it is now 1000.

Thread Thread
 
technogamerz profile image
𝕋𝕙𝕖 𝕃𝕒𝕫𝕪 𝔾𝕚𝕣𝕝

Good luck 💯

Thread Thread
 
akhourianmolkumar profile image
Akhouri Anmol Kumar

Thanks. You are supporting me and motivating me from the day when i was near 80s-100s download and now Akhouri Systems sits at 309 downloads. Thanks again to you and mustafa.

Thread Thread
 
technogamerz profile image
Comment deleted
Thread Thread
 
akhourianmolkumar profile image
Akhouri Anmol Kumar

Thanks, and yea I know mustafa is very great person. Also tell your freinds to give suggestions as there is one tip given by mustafa-"always implement your user's suggestion to improve yourself day by day"

Some comments may only be visible to logged-in visitors. Sign in to view all comments.