The application has such a thing as a signature, signatures are different, incl. and the test signature "test-key". Some antivirus programs respond to signature changes during modification (trustlook always finds Android.PUA.DebugKey-potentially unwanted applications), although there is no threat.
Potentially unwanted applications (PUA) are a category of software that can slow down your computer's performance, display advertisements unexpectedly, or in the worst case, install other software that may be more dangerous or intrusive.
Downloaded files can be checked online at https://www.virustotal.com/gui/home/upload or you can install the free Virustotal Mobile app
https://play.google.com/store/apps/details?id=com....
Virustotal, Trustlock and DebugKey.
So, I downloaded a few apps and decided to check them out with VirusTotal. The only virus found is Android.PUA.DebugKey. What the hell is this thing? Like, is he stealing something?
If it's a mod (modified application) Trustlock heuristic detects a modification - the mod was signed with a different key than the original.
heuristics is a mechanism for searching for suspicious actions and conditions that are classified as malicious by antivirus. Therefore, false positives or, more precisely, the detection of suspicious actions of modified programs are very frequent.
For example, antivirus "Babable" writes "PUP.HighConfidence" on all applications that have the signature "test-key". That is, on any mod with this universal signature.
Developers from "Babable" seem to be very concerned about someone else's security and do not want to install re-signed applications with this signature.
But to use the modified software or not - it's up to you anyway.

https://en.m.wikipedia.org/wiki/Potentially_unwant...
.
PUP.High.Confidence.
.
A Potentially Unwanted Program (PUP) or Potentially Unwanted Application (PUA) is software that a user may perceive as unwanted. It is used as a subjective criterion for labeling safety and parental control products.
Some unwanted software packages install a root certificate on the user's device, allowing hackers to intercept personal data, such as banking details, without the browser being alerted to security. The US Department of Homeland Security has recommended that insecure root certificates be removed because they leave computers vulnerable to serious cyberattacks [5.

So it's not clear whether it's dangerous or not?