MCP.so
Sign In
Servers

Skylos

@duriantaco

Dead code detection, security scanning, and code quality analysis for Python, TypeScript, and Go. 98% recall with 3x fewer false positives than Vulture. 5 tools: analyze, security_scan, quality_check, secrets_scan, remediate. AI-powered auto-fix agent.

Overview

What is Skylos?

Skylos is a privacy-first SAST tool for Python, TypeScript, and Go that detects dead code, security vulnerabilities (SQLi, SSRF, secrets), and code quality issues with high precision. It uses a hybrid engine (AST + optional local/cloud LLM) and supports agentic AI fixes, making it suitable for developers and security teams who want fast, accurate static analysis that respects code privacy.

How to use Skylos?

Install via pip (pip install skylos) and run commands like skylos . to scan for dead code, skylos . --secrets --danger --quality for security and quality audits, or skylos agent analyze . --model gpt-4.1 for AI-powered analysis. For CI/CD, run skylos cicd init to generate a GitHub Actions workflow in 30 seconds.

Key features of Skylos

  • Privacy-first: 100% local analysis with optional local LLMs
  • Taint analysis for SQLi, XSS, and untrusted input tracking
  • Secrets detection (AWS, Stripe, OpenAI keys, etc.)
  • Dead code detection with confidence scoring and safe removal
  • Vibe coding guardrails (phantom calls, unfinished stubs, AI hallucination patterns)
  • AI supply chain security (prompt injection, zero-width characters, homoglyphs)
  • Agentic AI remediation that fixes and opens PRs automatically
  • CI/CD quality gates and inline PR review comments

Use cases of Skylos

  • Find and remove dead code (unused functions, imports) in Python, TypeScript, and Go projects
  • Detect hardcoded secrets and security vulnerabilities before they reach production
  • Set up automated quality gates that block risky code from merging in CI/CD
  • Audit AI-generated code for hallucinations, unfinished stubs, and bypassed security controls
  • Run hybrid static + LLM analysis to deeply review project for logic bugs and architectural issues

FAQ from Skylos

What languages does Skylos support?

Python, TypeScript, and Go.

Is my code sent to the cloud?

No. Skylos is designed to be 100% local and privacy-first. When using the optional cloud LLM analysis, you can choose to send selected files, but local LLMs (Ollama, LM Studio) keep everything on your machine.

How does Skylos compare to Vulture?

In benchmarks on 9 popular Python repos, Skylos achieved 98.1% recall (51/52) vs Vulture’s 84.6% (44/52), with only 220 false positives compared to Vulture’s 644. Skylos is also framework-aware (FastAPI, Django, pytest) and supports security scanning, TypeScript, and Go.

Does Skylos require an API key?

Not for local scan modes. For AI-powered analysis you can use a local LLM (no API key) or provide a key for cloud models like GPT‑4.1 or Claude.

Can Skylos run in CI/CD?

Yes. Use skylos cicd init to generate a GitHub Actions workflow in 30 seconds. It automatically adds dead code detection, security scanning, and quality gates on every PR.

Tags

More from Developer Tools