CCM
/MCP
SkillsMCPMarketplacesDigestToolsAdvertise

This week in Claude

Every Monday: Claude Code, Agent SDK, MCP, and the Anthropic platform moves worth your time.

Skills by Category
Frontend DevelopmentBackend & APIsTesting & QASecurityDevOps & CI/CDGit & Pull RequestsDocumentationCode Review & QualityAI & Agent BuildingSkill Development
MCP Servers by Category
Sales & MarketingWeb & Browser AutomationDatabasesAI & LLM ToolsCloud & InfrastructureCommunication & MessagingDeveloper ToolsDesign & CreativeDocuments & KnowledgeSearch & Web Crawling
Marketplaces by Category
AI Agents & OrchestrationLLM IntegrationDevelopment ToolsFrontend & UIBackend & APIsDatabasesTesting & Code QualityDevOps & CloudSecurity & ComplianceGit & Version Control

Claude Code Marketplaces

Discover Claude Code plugins, extensions, and tools. Automatically updated directory of Anthropic Claude AI marketplaces with development tools, productivity plugins, and integrations.

Resources

  • Browse Skills
  • Browse MCP Servers
  • Browse Marketplaces
  • Plugins Reference

Community

  • About
  • Tools
  • Feedback
  • Privacy Policy
  • Advertise

Built for the Claude Code community with Claude Code by @mertduzgun

Independent project, not affiliated with Anthropic

Skylos

duriantaco/skylos
452authSTDIOregistry active
Summary

Brings Skylos static analysis into Claude, letting you scan codebases for dead code, security flaws, secrets, and quality issues across Python, TypeScript, Go, and eight other languages. You can run full repo audits, diff scans against a branch, or trigger framework-aware checks that understand FastAPI routes, React components, and pytest fixtures. The server exposes Skylos operations as MCP tools, so you can ask Claude to find unused imports, check for SQL injection paths, or validate CI/CD workflows without leaving your conversation. Useful when you want Claude to review pull requests or triage technical debt using local-first analysis that doesn't upload your code.

CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
Skylos

Skylos

Open-source, local-first checks for dead code, security issues, secrets, quality regressions, and AI-code mistakes before merge.

License: Apache 2.0 codecov PyPI - Python Version PyPI version VS Code Marketplace Astronomer Trust Discord

Website | Docs | Repo Map | Quick Start | GitHub Action | VS Code Extension | Real-World Results | Benchmarks | Roadmap | Contributing

English | Deutsch | 简体中文 | Translations

What Is Skylos?

Skylos is an open-source static analysis CLI for Python, TypeScript, JavaScript, Java, Go, Kotlin, PHP, Rust, Dart, C#, Shell, and deployment config. It runs locally by default and can also be used as a CI/CD PR gate.

Use Skylos when you want one command to check a repo or pull request for:

  • dead code and unused files
  • security flaws and dangerous data flows
  • secrets and dependency CVEs
  • CI/CD and edge-device deployment misconfigurations
  • quality regressions such as complexity, duplicate branches, and deep nesting
  • common AI-generated code mistakes, including missing guards, fake helpers, invented package APIs, and impossible dependency versions
  • LLM app risks such as unsafe tool use and missing output validation

Start In 60 Seconds

pip install skylos
skylos .

The default scan focuses on dead code. Add security, secrets, quality, dependency, and AI-defect checks with -a:

skylos . -a

Run only evidence-backed AI defect checks with:

skylos . --ai-defects

Verify a changed file or range before an agent hands it to review:

skylos verify . --file src/app.py --range 40:75 --project-context

skylos verify schema version 2 returns pass, fail, or incomplete. incomplete means a requested proof could not be established, such as a third-party TS/JS import, computed namespace member, unsupported language-local API check, or parser surface that Skylos could not prove; it exits 2 unless --no-fail is set. The coverage object lists detected languages, expected checks, language support, missing checks, completed/skipped checks, checked references, and deterministic skip reasons.

Deterministic local/workspace API verification currently covers Python, TypeScript/JavaScript, Go, and Java without executing target code. PHP, Rust, Dart, C#, Kotlin, and Shell retain their existing static-analysis coverage, but their local API proof is reported as unsupported and therefore incomplete. See AI Code Verification Coverage.

Create a local AI hallucination contract for repo-specific generated-code truth. skylos verify auto-discovers .skylos/ai-contract.yml:

skylos contract init
skylos contract inspect
skylos verify .

Create a project config with thresholds, ignores, template hooks, and vibe dictionary extensions:

skylos init

Create a starter local rule pack:

skylos rules init
skylos rules validate .skylos/rules/local.yml
skylos rules list --json
skylos rules list cross --json
skylos rules list --packs --json
skylos cache stats

Generate a GitHub Actions PR gate:

skylos cicd init
git add .github/workflows/skylos.yml
git commit -m "Add Skylos CI gate"
git push

Need more commands? Read the CLI Reference.

Common Workflows

GoalCommandWhat You GetMore Detail
First dead-code scanskylos .Finds unused functions, classes, imports, files, and framework entrypoint mistakesDead code docs
Deterministic cleanup previewskylos clean . --dry-run --types import,function --confidence 80Shows safe import/function removals before writing; add --apply to edit filesDead code docs
Security and quality auditskylos . -aAdds dangerous flow, secrets, dependency, config, quality, and AI-defect checksSecurity docs
PR gateskylos cicd initGenerates a GitHub Actions workflow with annotations and failure thresholdsCI/CD guide
Readable terminal reportskylos . --format prettyGroups findings by file with severity badges, snippets, and copyable file:line locationsCLI output modes
Selectable terminal triageskylos . --tuiOpens a keyboard-driven category list, finding list, and detail paneCLI output modes
IDE/test-script outputskylos --format concise src/test.pyPrints only file:line findings and exits non-zero when findings existCLI Reference
In-loop AI-code verificationskylos verify . --file src/app.py --range 40:75Returns narrow JSON for hallucinated helpers, unfinished code, stale references, disabled controls, and API/dependency hallucinationsAI features
AI hallucination contractsskylos contract init && skylos verify .Auto-discovers .skylos/ai-contract.yml and verifies generated code against repo-specific symbols, dependencies, APIs, route guards, and test requirementsAI Hallucination Contracts
Changed-lines reviewskylos . -a --diff origin/mainKeeps findings focused on active work instead of legacy debtQuality gate docs
Runtime-assisted dead-code checkskylos . --traceUses runtime traces to reduce dynamic-code false positivesSmart tracing
Local rule packskylos rules initScaffolds YAML rules for project-specific security and quality checksCustom rules
Security agent quick scanskylos agent security-quick .One-shot LLM security audit; compatibility alias for skylos agent scan . --securityAI features
Security agent deep scanskylos agent security-deep .Three-stage security workflow with threat-model context, static threat traces, discovery/validation, and remediation handoffAI features
AI-assisted reviewskylos agent scan .Static analysis plus optional LLM review and fix suggestionsAI features
Agent harness replayskylos agent replay .skylos/runs/<run-id>Validates and summarizes saved agent verification phases, tool calls, decisions, and budgetsAgent harness artifacts
Verification-backed remediationskylos agent scan . --fixRe-scans fixed security findings and records proof-test metadata for supported fixesAI features
MCP agent verificationverify_change MCP toolLets Claude, Cursor, and other MCP clients verify an edited file/range with the same schema as skylos verifyMCP server
LLM integration inventoryskylos discover .Maps every LLM call, agent tool, prompt site, and input source in the codebaseAgent verification
Pre-deployment agent verificationskylos defend . --format md -o evidence.mdVerifies agent guardrails, scores OWASP LLM/Agentic coverage, and emits an attested evidence reportAgent verification
Agent verification CI gateskylos defend . --fail-on criticalBlocks deploys with unguarded LLM integrations; SARIF for code scanning via --format sarifAgent verification
MCP agent pre-flightverify_agent MCP toolLets coding agents statically verify the agents they build — scores, failed checks, attestation digestMCP server
Technical debt triageskylos debt .Ranks hotspots and debt trendsTechnical debt

What Skylos Catches

CategoryExamplesWhy It Matters
Dead codeunused functions, classes, imports, package entrypoints, route handlersreduces maintenance cost without breaking dynamic frameworks
Security flawsSQL injection, XSS, SSRF, path traversal, command injection, unsafe deserializationcatches exploitable flows before code reaches main
SecretsAPI keys, tokens, private credentials, high-entropy stringsprevents credentials from leaking through commits and PRs
CI/CD workflowsGitHub Actions and GitLab CI dangerous triggers, unpinned actions/includes, broad tokens, OIDC misuse, cache poisoning, mutable imagesreduces CI/CD supply-chain risk before release jobs run
Edge deployment configDocker Compose privileged device access, host networking, systemd root services, broad capabilities, missing sandboxingcatches repo-controlled settings that turn app bugs into device compromise
Quality regressionscomplexity, deep nesting, duplicate branches, long functions, inconsistent returnskeeps AI-assisted refactors from adding brittle code
AI code mistakesphantom security calls, missing decorators, unfinished stubs, disabled controls, real packages called with invented APIs, impossible npm/Go versionscatches common hallucinated or incomplete code paths before they reach review
LLM app risksunsafe tool use, prompt injection exposure, missing output validation, missing rate limitshelps teams ship AI features with guardrails

See the full Rules Reference.

Verify AI Agents Before They Ship

Runtime guardrails are the WAF; Skylos is the SAST. skylos discover inventories every LLM integration in a codebase (provider SDKs, agent frameworks including the OpenAI Agents SDK, Claude Agent SDK, and Google ADK, MCP servers and their tools, direct HTTP calls to LLM APIs or OpenAI-compatible gateways, plus agent tools, prompt sites, and input sources), and skylos defend verifies the guardrails around them — deterministically, locally, with no model in the loop — then gates CI and emits auditor-ready evidence.

skylos discover .                               # inventory LLM integrations and agent tools
skylos defend .                                 # score guardrails (13 weighted checks)
skylos defend . --format md -o evidence.md      # auditor evidence report + attestation
skylos defend . --format sarif -o defend.sarif  # GitHub code scanning upload
skylos defend . --fail-on critical              # CI gate: exit 1 on critical gaps
skylos defend . --owasp-framework agentic       # report against OWASP Agentic ASI Top 10

Per integration it verifies: dangerous output sinks (eval/exec/subprocess), agent tool scope and typed schemas, prompt-injection exposure (delimiters, untrusted input paths, RAG context isolation), output validation, PII filtering, and model pinning — plus ops checks (logging, cost controls, rate limiting) scored separately so they never inflate the security score.

  • OWASP mapping: LLM Top 10 (2024/2025) and Agentic ASI Top 10 (2026).
  • Evidence report (--format md): integration inventory, per-check results, OWASP coverage, regulatory framework evidence (EU AI Act, NIST AI RMF, ISO/IEC 42001 — "evidence toward" mappings, never compliance claims), and a remediation appendix.
  • Attestation: JSON/md/SARIF reports carry a reproducible SHA-256 digest over file contents, policy, plugin set, integration inventory, scores, and full check evidence — re-run on the same tree with the same flags and Skylos version, and the digest must match.
  • CI-native: skylos cicd init --defend generates the workflow step, the skylos-defend pre-commit hook gates locally, and $GITHUB_STEP_SUMMARY gets a score summary automatically in Actions.
  • Policy as code: skylos-defend.yaml pins gate thresholds and severity overrides (--policy).
  • Agent-native: the verify_agent MCP tool lets coding agents verify the agents they build — deterministic verification, not AI checking AI.

Static pre-deployment verification complements runtime controls (gateways, policy engines, human approval flows); it does not replace them. Full guide: docs/agent-verification.md.

How Skylos Fits

Skylos is not a replacement for every specialized scanner. It is a local-first repo and PR checker that puts several common review checks behind one CLI.

  • Framework-aware dead code detection: FastAPI, Django, Flask, pytest, SQLAlchemy, Next.js, React, package entrypoints, and common plugin patterns.
  • PR-focused output: diff scanning, CI thresholds, GitHub annotations, and baselines for existing findings.
  • Local-first operation: core static analysis does not require cloud upload or LLM calls.
  • AI-assisted change review: checks for removed validation, auth, logging, CSRF, rate limiting, timeouts, real-package API hallucinations, and other guardrails in generated or edited code.
  • Agent-loop verification: skylos verify and MCP verify_change return versioned JSON for only AI-code trust findings, so coding agents can self-correct before a human sees the change.
  • Evidence-backed AI defects: --ai-defects and full scans put strict AI-code failure checks under ai_defects, including phantom references, fake package APIs, nonexistent packages, impossible dependency versions, and weakened test assertions. The category/tag is ai_defect; several rules intentionally keep historical SKY-L or SKY-D IDs for suppression and baseline compatibility, while new AI-defect-only checks use SKY-A.
  • Verification-backed remediation: security fixes are checked by re-running analysis, and supported findings can include targeted regression-test proof metadata.
  • Project-specific rules: add local YAML rules and extend prompt, credential, sensitive-file, and timeout dictionaries from config.
  • One command surface: dead code, security, secrets, dependency, quality, technical debt, agent review, and pre-deployment agent verification commands share the same CLI.

Agent Harness Artifacts

skylos agent verify . records replayable verification artifacts under .skylos/runs/<run-id> and prints the run directory in table output. JSON output includes the same harness summary under the harness key.

Use skylos agent replay .skylos/runs/<run-id> to validate and inspect a saved run without making LLM calls. Add --format json when another agent or CI job needs machine-readable status. A valid replay exits 0; an invalid or corrupt artifact set exits 1 with issue codes. Replay output includes schema_version so CI and agents can detect artifact-contract changes.

Each run directory contains:

  • events.jsonl: chronological run, phase, and tool-call events.
  • state.json: full observable state, including phases, tool calls, decisions, and budget usage.
  • summary.json: compact status, counts, budget, and artifact paths.

The current harness state is observable and replay-validated. It is not yet a resume mechanism for continuing interrupted verification runs.

Install Options

# Core static analysis
pip install skylos

# LLM-powered agent workflows
pip install "skylos[llm]"

# All published optional extras
pip install "skylos[all]"

Container image:

docker pull ghcr.io/duriantaco/skylos:latest
docker run --rm -v "$PWD":/work -w /work ghcr.io/duriantaco/skylos:latest . --json --no-provenance

See Installation for source installs, container usage, and optional dependencies.

Configure Templates And Vibe Checks

Run skylos init to add these sections to pyproject.toml:

[tool.skylos]
exclude = ["node_modules", "dist"]

[tool.skylos.templates]
# security = ".skylos/templates/security.md"
# quality = ".skylos/templates/quality.md"
# security_audit = ".skylos/templates/security_audit.md"
# review = ".skylos/templates/review.md"

[tool.skylos.vibe]
extra_phantom_names = ["verify_enterprise_auth"]
extra_phantom_decorators = ["tenant_admin_required"]
extra_credential_names = ["tenant_signing_secret"]
extra_network_timeout_calls = ["vendor_sdk.fetch"]

[tool.skylos.dead_code]
entrypoints = []

[[tool.skylos.dead_code.entrypoints]]
type = "method"
name = ["create", "pre_hook", "post_hook"]
parent = { name = "Main", base_classes = ["Application"] }
path = "src/**"
reason = "project framework lifecycle hook"

[tool.skylos.contribution]
collect_local_signals = false
contribute_public_corpus = false
structural_signatures_only = true
include_source = false

Template files extend Skylos' built-in prompts; they do not replace the JSON-only output contract or untrusted-code safety rules. Vibe dictionary extensions let teams teach Skylos about local fake-auth helpers, project credential names, sensitive files, and network calls that must set timeouts. Dead-code entrypoints let teams mark proprietary framework classes, lifecycle methods, and decorator-registered functions as live using precise rules for type, name, path, decorators, base classes, and parent classes. Rules must include a symbol selector such as name, decorators, base_classes, or parent; path and module only narrow the match. Contribution signals are off by default; when enabled, Skylos records local structural accept/dismiss/learn events under .skylos/contribution/ without raw source.

By default Skylos discovers [tool.skylos] in pyproject.toml by walking up from the scan path. To use a dedicated TOML config, pass --config-file PATH or set SKYLOS_CONFIG_FILE; standalone files may use either [tool.skylos] or top-level [skylos]. Synced Skylos Cloud policy keeps its protected precedence over repository-controlled config. The top-level [tool.skylos].exclude list applies to the main scan and commands such as skylos debt and skylos clean; pass --exclude for command-local additions or --include-folder to override an excluded folder.

Language Support

LanguageDead CodeSecurityQualityLocal API Proof (verify)Notes
PythonYesYesYesSupportedstrongest coverage; framework-aware static analysis and optional tracing
TypeScript / JavaScriptYesYesYesSupportedTree-sitter parsing, package graph reachability, framework conventions
JavaYesYesYesSupportedTree-sitter parsing, structured security-flow analysis, conservative static-member proof
GoYesPartialPartialSupportednative engine status remains separate from deterministic workspace API proof
PHPYesYesPartialUnsupportedPHP parser coverage plus taint-style security sinks and sources
RustYesYesPartialUnsupportedRust parser coverage plus security sink/source checks
DartYesYesPartialUnsupportedDart parser coverage plus selected security sinks and sources
C#YesYesPartialUnsupportedC# symbol coverage plus selected ASP.NET, process, SQL, HTTP, and file sinks
KotlinYesPartialPartialUnsupportedKotlin symbol extraction with conservative static-analysis coverage
ShellNoYesPartialUnsupportedshell-script security checks for command injection, SSRF, and path traversal

See Rules Reference for rule families and scanner scope.

Config And Deployment Support

SurfaceFilesSecurity Scope
GitHub Actions.github/workflows/*.yml, .github/workflows/*.yaml, action.yml, action.yamldangerous triggers, token permissions, unpinned actions, template injection, secrets, OIDC, cache, and artifact policy
GitLab CI.gitlab-ci.ymlmutable images, unpinned includes, literal secrets, untrusted eval, Docker-in-Docker, OIDC, cache, timeout, and runner-tag policy
DockerfileDockerfile, Dockerfile.*, *.dockerfiledangerous RUN commands, remote ADD without checksum, and literal build ARG / ENV secrets
Edge Docker Composecompose*.yml, compose*.yaml, docker-compose*.yml, docker-compose*.yamlprivileged containers, broad host device/control mounts, GPU/device runtime, and host networking
Edge systemd*.serviceroot edge services, mutable ExecStart paths, missing sandboxing, broad capabilities, and broad device access

Benchmark Snapshot

Skylos has checked-in regression benchmarks for dead code, security, quality, and agent review. These are strict regression gates, not broad proof that any tool is universally state of the art.

SuiteCurrent Skylos ResultBaseline
Dead code regression16 cases, TP=36 FP=0 FN=0 TN=59, score 100.0Ruff score 62.67; Vulture not installed in latest local rerun
Security regression56 cases, TP=35 FP=0 FN=0 TN=23, score 100.0Bandit score 47.14 on Python-applicable cases
Quality regression13 cases, score 100.0regression gate only
Agent review25 cases, score 100.0regression gate only
AI-code defect regressioncurated verifier cases for hallucinated references, package APIs, and dependency versionsrun python scripts/ai_code_defect_benchmark.py

Frozen golden-v0.2 highlights:

Frozen SuiteSkylos ResultCaveat
Dead code seeded devoverall score 96.28; TS/JS/Go/Java score 100.0; Python score 93.33Python residuals are label-review items
Security seeded devoverall score 96.52; full recall with one Python urljoin false positivelabel should be reviewed
OWASP Java security devTP=105 FP=0 FN=15 TN=120, score 94.37request-wrapper, LDAP, XPath, and property weak-hash gaps remain
Quality seeded devTP=1 FP=0 FN=0 TN=1, score 100.0one seeded case only

For methodology, commands, competitor rows, and caveats, see BENCHMARK.md.

Project Evidence

Skylos-assisted dead-code cleanup PRs have been merged in Black, NetworkX, Optuna, mitmproxy, pypdf, beets, and Flagsmith. These are accepted cleanup PRs, not project endorsements. See Real-World Results.

A local Astronomer scan on April 26, 2026 computed 420 stargazers and returned overall trust: A. StarGuard also reported low fake-star risk.

Integrations

IntegrationLinkPurpose
GitHub ActionGitHub ActionPR gates, annotations, and CI enforcement
VS Code extensionVS Code extensionin-editor findings and AI-assisted fixes
MCP serverMCP setupexpose Skylos scans to AI agents and coding assistants
Docker imageInstallationrun Skylos without a local Python install
Skylos CloudCloud workflowoptional upload and dashboard workflows

Generate a GitHub Actions workflow from the CLI:

skylos cicd init --upload
skylos cicd init --upload --scan-path apps/api

The generated upload workflow uses GitHub OIDC, sends PR head commit/branch metadata, and supports monorepo subprojects through --scan-path.

Documentation Map

NeedRead This
Install options, source install, and DockerInstallation
First scan and core workflowsQuick Start
CLI commands, flags, and examplesCLI Reference
CLI output modes, pretty reports, and TUI controlsCLI Output Modes
CI setup, PR gates, annotations, and branch protectionCI/CD
Dead-code behavior and framework awarenessDead Code Detection
Security scanning and taint analysisSecurity Analysis
Rule ID prefixes and product terminologyRule Dictionary
Agent scan, verification, remediation, and model setupAI Features
AI defense checks and LLM guardrailsAI Defense
MCP server setupMCP Server
Real-world merged cleanup PRsReal-World Results
Baselines, filtering, suppressions, and whitelistsConfiguration
Smart tracingSmart Tracing
Rule families and language supportRules Reference
Cloud uploads and dashboard flowCLI to Dashboard
VS Code extensionVS Code Extension
Benchmarks and methodologyBENCHMARK.md
Security policySECURITY.md
Release processRELEASE_WORKFLOW.md
Contribution prioritiesROADMAP.md
ContributingCONTRIBUTING.md

Common Questions

Does Skylos replace Bandit, Semgrep, CodeQL, or Vulture?

No. Skylos can run alongside them. It focuses on framework-aware dead-code signal, PR gating, AI-era regression checks, and a combined workflow across dead code, security, secrets, quality, and AI-defect checks.

Does Skylos require an LLM?

No. Core static analysis runs locally without API keys. LLM features are optional through skylos[llm] and agent commands.

Can I use it only on changed code?

Yes. Use skylos . -a --diff origin/main locally or configure CI gates to focus on new findings.

How should I handle intentional dynamic code?

Use baselines, whitelists, inline suppressions, or runtime tracing. See the configuration docs and smart tracing docs.

Contributing And Support

  • Report security issues through SECURITY.md.
  • Open bugs and false-positive reports with minimal repros.
  • Check ROADMAP.md for useful contribution areas.
  • Read CONTRIBUTING.md before sending a pull request.
  • See QUALITY.md for project quality and gate expectations.
  • Join the Discord for community support.

License

Skylos is licensed under the Apache License 2.0.

Featured
CodeRabbit
CodeRabbit
AI writes the code. CodeRabbit catches the slop.
Try For Free →
AppSignal
AppSignal
Monitor with ease. Code with confidence.
Start Free Trial →
AI notepad for back-to-back meetings
AI notepad for back-to-back meetings
Notes, actions and memory. Without a meeting bot. First month 100% off.
Download for free →
Keep your Mac awake
Keep your Mac awake
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Email for Agents: Free tier availableEmail for Agents: Free tier available
Email for Agents: Free tier available
Give your AI agent a complete email layer—sending, inbound inboxes, and sandbox testing.
Get 4K emails/month free →
Context.devContext.dev
Context.dev
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
CodeScene MCP ServerCodeScene MCP Server
CodeScene MCP Server
Your agent targets a perfect 10 Code Health score. Deterministic. Every commit.
Try For Free →
Make your agent a DeFi expert
Make your agent a DeFi expert
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →

Configuration

SKYLOS_API_KEYsecret

Skylos API key for cloud features and MCP authentication

Categories
Security & Pentesting
Registryactive
Packageskylos
TransportSTDIO
AuthRequired
UpdatedMar 11, 2026
View on GitHub

Related Security & Pentesting MCP Servers

View all →
Exploit Intelligence Platform — CVE, Vulnerability and Exploit Database

com.exploit-intel/eip-mcp

Real-time CVE, exploit, and vulnerability intelligence for AI assistants (350K+ CVEs, 115K+ PoCs)
Semgrep

semgrep/mcp

A MCP server for using Semgrep to scan code for security vulnerabilities.
666
Pentest

dmontgomery40/pentest-mcp

NOT for educational purposes: An MCP server for professional penetration testers including STDIO/HTTP/SSE support, nmap, go/dirbuster, nikto, JtR, hashcat, wordlist building, and more.
137
Notebooklm Mcp Secure

pantheon-security/notebooklm-mcp-secure

Security-hardened NotebookLM MCP with post-quantum encryption
68
Pentest Mcp Server

cyanheads/pentest-mcp-server

Offline methodology engine for authorized penetration testing, CTF, and security research.
1
AI Firewall MCP

io.github.akhilucky/ai-firewall-mcp

Multi-agent LLM security layer detecting prompt injection and jailbreaks.