DISCOVER THE FUTURE OF AI AGENTSarrow_forward

Skylos

calendar_todayAdded Feb 25, 2026
categoryAgent & Tooling
codeOpen Source
PythonTypeScriptModel Context ProtocolGoAI AgentsCLIAgent & ToolingModel & Inference FrameworkDeveloper Tools & CodingSecurity & Privacy

Hybrid static analysis tool combining SAST with local LLM agents for automated dead code removal, security vulnerability detection, and code quality gates. Features confidence scoring and LibCST-based safe removal, supporting Python, TypeScript/TSX, and Go.

Skylos is a high-precision Python SAST (Static Application Security Testing) and dead code removal tool.

Core Capabilities#

Dead Code Detection & Removal#

  • Build full codebase reference graphs to identify zero-reference functions, classes, and variables
  • Framework-aware: Auto-detects Django/Flask/FastAPI routes, pytest fixtures, Celery tasks as entry points
  • Confidence scoring system (0-100), high-confidence code safe to delete
  • LibCST-based safe removal preserving syntax integrity
  • Runtime tracing (--trace) with test coverage to eliminate dynamic dispatch false positives

Security Scanning (SAST)#

  • Taint analysis: Track data flow from user inputs to dangerous sinks
  • Vulnerability detection rules:
    • SKY-D211: SQL injection
    • SKY-D212: Command injection
    • SKY-D215: Path traversal
    • SKY-D216: SSRF
    • SKY-D201/202: eval()/exec() dangerous calls
    • SKY-D204: Pickle unsafe deserialization
    • SKY-D231: CORS misconfiguration
    • SKY-D232: JWT vulnerabilities
  • Secret detection: Identify hardcoded API keys (AWS, Stripe, OpenAI, etc.)

Code Quality Analysis#

  • Cyclomatic complexity (SKY-Q301), nesting depth (SKY-Q302)
  • Async blocking call detection (SKY-Q401)
  • Class coupling CBO (SKY-Q701), class cohesion LCOM (SKY-Q702)
  • Architecture quality: Distance from main sequence, DIP violations

AI Agent Integration#

  • Hybrid analysis architecture: Static analysis + LLM reasoning
  • Supported models: OpenAI (GPT-4.1), Anthropic (Claude), Ollama local models, Gemini, Groq, Mistral
  • Auto-remediation: skylos agent remediate end-to-end scan→fix→test→create PR
  • Privacy-first: Supports 100% local LLM (Ollama/LM Studio)

MCP Server#

  • Expose analysis capabilities as MCP (Model Context Protocol) service
  • Support Claude Desktop and other AI assistants to scan codebases directly
  • Provided tools: analyze, security_scan, quality_check, secrets_scan, remediate

Multi-language Support#

LanguageParserDead CodeSecurityQuality
PythonAST
TypeScript/TSXTree-sitter
GoStandalone binary--

Quick Start#

# Install
pip install skylos

# Initialize config
skylos init

# Basic scan
skylos .

# Full scan (security + quality + secrets)
skylos . --danger --secrets --quality

# AI-powered analysis
skylos agent analyze . --model gpt-4.1

# CI/CD integration
skylos cicd init

Key CLI Commands#

CommandDescription
skylos PATHStatic analysis
skylos agent analyze PATHHybrid static + LLM analysis
skylos agent security-audit PATHDeep LLM security audit
skylos agent remediate PATHEnd-to-end remediation
skylos baseline PATHCreate baseline snapshot
skylos cicd initGenerate GitHub Actions workflow
skylos runLaunch Web UI (localhost:5090)

Configuration Example#

[tool.skylos]
complexity = 10        # Cyclomatic complexity threshold
nesting = 3            # Nesting depth threshold
max_args = 5           # Max arguments
model = "gpt-4.1"      # LLM model

[tool.skylos.gate]
fail_on_critical = true
max_security = 0
max_quality = 10

Ecosystem Integration#

  • GitHub Actions: skylos cicd init one-click workflow generation
  • VS Code Extension: Real-time analysis, AI monitor, CodeLens fixes
  • MCP Protocol: Claude Desktop and AI assistants direct integration
  • CI/CD Quality Gates: --gate parameter blocks non-compliant code merges

Key Mechanisms#

  • Smart Tracing: Uses sys.settrace() to record actual function calls during tests
  • Baseline Tracking: Saves snapshots to .skylos/baseline.json, CI reports only new issues
  • Inline Ignore: # pragma: no skylos or # skylos: ignore-start/end

Apache 2.0 License | Python 3.9-3.12 support

Related Projects

View All arrow_forward

STAY UPDATED

Get the latest AI tools and trends delivered straight to your inbox. No spam, just intelligence.

rocket_launch