SkillAgentSearch skills...

Skylos

Open-source Python, TypeScript, and Go SAST with dead code detection. Finds secrets, exploitable flows, and AI regressions. VS Code extension, GitHub Action, and MCP server for AI agents.

GenerateConvertImprove

Install / Use

/learn @duriantaco/Skylos
About this skill

Quality Score

0/100

Supported Platforms

GitHub Copilot
Claude Code
Cursor

README

<div align="center"> <img src="assets/DOG_1.png" alt="Skylos - Dead code, security, and AI defense for Python, TypeScript, and Go" width="300"> <h1>Skylos: Dead Code and Security PR Gate for Modern Codebases</h1> <h3>Find dead code, secrets, and exploitable flows in Python, TypeScript, and Go. Add a pull request gate in minutes.</h3> </div>

License: Apache 2.0 CI/CD Ready codecov PyPI - Python Version PyPI version Downloads/month Downloads total VS Code Marketplace GitHub stars GitHub forks Skylos Discord

📖 Website · Documentation · Blog · VS Code Extension

What is Skylos?

Skylos is a local-first scanner for Python, TypeScript, and Go that helps teams catch dead code, secrets, and exploitable flows before they land in main.

The core use case is straightforward: run it locally, add it to CI, and gate pull requests on real findings with GitHub annotations and review comments. Advanced features like AI defense, remediation agents, VS Code, MCP, and cloud upload are available, but you do not need any of them to get value from Skylos.

Start here

| Goal | Command | What you get | |:---|:---|:---| | Scan a repo | skylos . -a | Dead code, risky flows, secrets, and code quality findings | | Gate pull requests | skylos cicd init | A GitHub Actions workflow with a quality gate and inline annotations | | Audit an LLM app | skylos defend . | Optional AI defense checks for Python LLM integrations |

Why teams adopt it

  1. Better dead code signal on real frameworks: Skylos understands FastAPI, Django, Flask, pytest, Next.js, React, and more, so dynamic code produces less noise.
  2. One workflow instead of three tools: Dead code, security scanning, and PR gating live in the same CLI and CI flow.
  3. Local-first by default: You can keep scans on your machine and add optional AI or cloud features later if you need them.

Why Skylos over Vulture?

| | Skylos | Vulture | |:---|:---|:---| | Recall | 98.1% (51/52) | 84.6% (44/52) | | False Positives | 220 | 644 | | Framework-aware (FastAPI, Django, pytest) | Yes | No | | Security scanning (secrets, SQLi, SSRF) | Yes | No | | AI-powered analysis | Yes | No | | CI/CD quality gates | Yes | No | | TypeScript + Go support | Yes | No |

Benchmarked on 9 popular Python repos (350k+ combined stars) + TypeScript (consola). Every finding manually verified. Full case study →

🚀 New to Skylos? Start with CI/CD Integration

# Generate a GitHub Actions workflow in 30 seconds
skylos cicd init

# Commit and push to activate
git add .github/workflows/skylos.yml && git push

What you get:

  • Automatic dead code detection on every PR
  • Security vulnerability scanning (SQLi, secrets, dangerous patterns)
  • Quality gate that fails builds on critical issues
  • Inline PR review comments with file:line links
  • GitHub Annotations visible in the "Files Changed" tab

No configuration needed - works out of the box with sensible defaults. See CI/CD section for customization.

Table of Contents

Quick Start

If you are evaluating Skylos, start with the core workflow below. The LLM and AI defense commands are optional.

Core Workflow

| Objective | Command | Outcome | | :--- | :--- | :--- | | First scan | skylos . | Dead code findings with confidence scoring | | Audit risk and quality | skylos . -a | Dead code, risky flows, secrets, quality, and SCA findings | | Higher-confidence dead code | skylos . --trace | Cross-reference static findings with runtime activity | | Review only changed lines | skylos . --diff origin/main | Focus findings on active work instead of legacy debt | | Gate locally | skylos --gate | Fail on findings before code leaves your machine | | Set up CI/CD | skylos cicd init | Generate a GitHub Actions workflow in 30 seconds | | Gate in CI | skylos cicd gate --input results.json | Fail builds when issues cross your threshold |

Optional Workflows

| Objective | Command | Outcome | | :--- | :--- | :--- | | Detect Unused Pytest Fixtures | skylos . --pytest-fixtures | Find unused @pytest.fixture across tests + conftest | | AI-Powered Analysis | skylos agent scan . --model gpt-4.1 | Static-first analysis plus judge-all LLM verification for dead code | | Dead Code Verification | skylos agent verify . --model gpt-4.1 | Dead-code-only second pass: static findings reviewed by the LLM | | Security Audit | skylos agent scan . --security | Deep LLM security review with interactive file selection | | Auto-Remediate | skylos agent remediate . --auto-pr | Scan, fix, test, and open a PR — end to end | | Code Cleanup | skylos agent remediate . --standards | LLM-guided code quality cleanup against coding standards | | PR Review | skylos agent scan . --changed | Analyze only git-changed files | | PR Review (JSON) | skylos agent scan . --changed --format json -o results.json | LLM review with code-level fix suggestions | | Local LLM | skylos agent scan . --base-url http://localhost:11434/v1 --model codellama | Use Ollama/LM Studio (no API key needed) | | PR Review (CI) | skylos cicd review -i results.json | Post inline comments on PRs | | AI Defense: Discover | skylos discover . | Map all LLM integrations in your codebase | | AI Defense: Defend | skylos defend . | Check LLM integrations for missing guardrails | | AI Defense: CI Gate | skylos defend . --fail-on critical --min-score 70 | Block PRs with critical AI defense gaps | | Whitelist | skylos whitelist 'handle_*' | Suppress known dynamic patterns |

Demo

Skylos demo

Backup (GitHub): https://github.com/duriantaco/skylos/discussions/82

Key Capabilities

The core product is dead code detection, security scanning, and PR gating. The AI-focused features below are optional layers on top of that baseline workflow.

Security Scanning (SAST)

  • Taint Analysis: Traces untrusted input from API endpoints to databases to prevent SQL Injection and XSS.
  • Secrets Detection: Hunts down hardcoded API keys (AWS, Stripe, OpenAI) and private credentials before commit.
  • Vulnerability Checks: Flags dangerous patterns like eval(), unsafe pickle, and weak cryptography.

AI-Generated Code Guardrails

Skylos can also flag common AI-generated code mistakes. Every finding includes vibe_category and ai_likelihood (high/medium/low) metadata so you can filter them separately if you want.

  • Phantom Call Detection: Catches calls to security functions (sanitize_input, validate_token, check_permission, etc.) that are never defined or imported — AI hallucinates these constantly. hallucinated_reference, high
  • Phantom Decorator Detection: Catches security decorators (@require_auth, @rate_limit, @authenticate, etc.) that are never defined or imported. hallucinated_reference, high
  • Unfinished Generation: Detects functions with only pass, ..., or raise NotImplementedError — AI-generated stubs that silently do nothing in production. incomplete_generation, medium
  • Undefined Config: Flags os.getenv("ENABLE_X") referencing feature flags that are never defined anywhere in the project. ghost_config, medium
  • Stale Mock Detection: Catches mock.patch("app.email.send_email") where send_email no longer exists — AI renames functions but leaves tests pointing at the old name. stale_reference, medium
  • Security TODO Scanners: Flags # TODO: add auth placeholders that AI left behind and nobody finished.
  • Disabled Security Controls: Detects verify=False, `@csrf_e

duriantaco

View profile

View on GitHub
GitHub Stars342
CategoryDevelopment
Updated6h ago
Forks10
duriantaco/skylos

Languages

Python

Security Score

100/100

Audited on Mar 21, 2026

No findings