1. Avast totally blocking this (cant download/extract from RAR/open)
2. Online scaning https://goo.gl/fxOVvQ

???

File: http://www.speedrun.com/gtasaohko/resources

I'm not an expert, so I can't really definitively say one way or the other, but this feels like a false-positive. On the page you linked, Avast says "Win32:Malware-gen". The generic name suggests it detected possible malicious behaviour through some heuristic (like maybe injecting code or changing files, which I assume the OHKO mod would do), rather than a specific known threat.

Another name on there is "Trojan.AHK.AD". The AHK hints to it being AutohotKey, which I think this Mod might be based on (which of course can or can not be used for malicious purposes depending what you do with it). For the specific "AHK.AD" variant I found something about it injecting code, so it may detect the same functions being used in this Mod and suspect it's the same thing.

Generally, I find these Malware names always pretty confusing. It's either some generic name that could literally be anything or they contain some hash values or whatever and you can barely find anything about it specifically. Either way, these kinds of things often seem like some heuristic finding similarities to something that could be dangerous.

As I said, I can't say if this file is dangerous, but if it's made or at least compiled by Ligthnat0r I don't think it would have any malicious intend. As a general rule I like to also publish the sourcecode alongside a compiled version. I couldn't immediately find this on Lightnat0r's Github, maybe he could shed some light on this. If anything, it's interesting how it exactly works and why it would trigger some alarms. :)

Indeed, OHKO is written using AutoHotkey which is very likely to cause false-positives like it does here.

It was a while back, but at some point I compiled a completely empty AHK script (meaning it does absolutely nothing except close down as soon as it is started) and even that got a whole bunch of false-positives (7/57). Additionally, the OHKO mod reads and alters the memory of an outside process (the game), something done by some malicious programs as well. This doesn't actually seem to affect the number of false-positives all that much though.

Including the source code, either directly in the download or linked to in the readme, is something I tend to always do, though it seems I didn't in this case for whatever reason. I've updated the download link to included the source code now. If you really don't trust me, AHK actually supports decompiling the exe back into source code, so you can check to be sure it's ok ;)

For a more in-depth explanation why AHK is viewed so badly by antiviruses, I expect that is due to how AHK compilation works. Rather than actually compiling the script, the 'compiler' simply includes the raw source code (hence the option to decompile) and when you run the executable, that code gets run through an interpreter written in C++. This interpreter (which is open source btw) is what is causing the false-positives. While the antivirus has no reason to suspect the interpreter of doing something bad in and off itself, it can't really know what the stuff that is interpreted is going to be doing. Using a 'better safe than sorry' reasoning, some antiviruses simply assume that since it's going to do something that is 'hidden' from it, the intention was for it to circumvent malware detection and it's probably something bad.

At least that's my take on it, mostly based on wild assumptions and guesses but w/e.