According to V2EX netizensPost, the open source project PakePlus was found to "steal" attention. When a user provides a GitHub token to perform an operation, the original author of the project will use the token to automatically follow the original author's account and other projects of the original author.
It is indeed useful for developers to get more stars for projects published on GitHub. Usually developers will encourage users to follow the project when using it, but it is not common to use tokens to secretly automate operations.
Netizens also found that this part was mentioned in the PakePlus terms of use: If you use the GitHub token to use this project, it will default to Star the project, and statistics of whether the project compilation result is successful or failed will be used to improve the project and obtain feedback.
Actual testing has shown that providing a GitHub token will result in the Star project, following project developers, Star PakePlus-iOS and Star PakePlus-Android. This behavior is somewhat dangerous for other developers. After all, no one knows what other things your token is used for.
However, developers who have already used this project do not need to worry for the time being. At least there is no evidence that the token has security risks. Of course, even if there are instructions in the terms of use, these instructions are not seen on the GitHub homepage, so it is estimated that most users are not aware of these situations.
The main function of PakePlus is a packaging tool that converts web pages into desktop or mobile applications. The project is currently being questioned for plagiarism and plagiarism from another open source project Pake. However, the developer stated that PakePlus has nothing to do with Pake and all implementations are original.
It is unclear why the original one still uses similar names of existing similar projects. This situation is rightly questioned by Pake developers. After all, it will make people mistakenly think that PakePlus is related to Pake.