Skylos

A hybrid SAST and dead code detection tool for Python, TypeScript, and Go that combines AST-based static analysis with optional LLM-powered remediation, offering framework-aware false-positive reduction and CI/CD integration.

Evaluated Mar 06, 2026 (0d ago) vlatest
Homepage ↗ Repo ↗ Developer Tools sast dead-code python typescript go security mcp ci-cd ai-agents ast taint-analysis
⚙ Agent Friendliness
72
/ 100
Can an agent use this?
🔒 Security
74
/ 100
Is it safe for agents?
⚡ Reliability
66
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
65
Documentation
78
Error Messages
68
Auth Simplicity
80
Rate Limits
68

🔒 Security

TLS Enforcement
85
Auth Strength
72
Scope Granularity
65
Dep. Hygiene
78
Secret Handling
70

Agent orchestration/workflow tool. Local execution context. Validate all tool parameters before execution. Sandbox agent capabilities based on trust level.

⚡ Reliability

Uptime/SLA
68
Version Stability
68
Breaking Changes
65
Error Recovery
65
AF Security Reliability

Best When

You maintain a Python, TypeScript, or Go codebase and need a framework-aware dead code remover and security scanner that minimizes false positives and integrates with CI/CD.

Avoid When

You need broad multi-language SAST coverage (Java, C#, Ruby, etc.) or require a SOC 2-certified commercial SAST solution.

Use Cases

  • Detect and safely remove dead code (unused functions, orphan classes, unused imports) from Python, TypeScript, and Go codebases
  • Run security scans for SQL injection, XSS, command injection, secrets, and SSRF vulnerabilities with low false-positive rates
  • Automate code remediation and PR creation using AI agents connected via the MCP server interface
  • Enforce quality gates in CI/CD pipelines with GitHub Actions integration and inline PR annotation
  • Audit large legacy codebases to reduce maintenance burden while preserving framework-required code (pytest fixtures, FastAPI routes)

Not For

  • Languages beyond Python, TypeScript/TSX, and Go — multi-language polyglot projects need additional tools
  • Teams wanting a fully managed SaaS SAST tool — Skylos is self-hosted
  • Runtime security monitoring — Skylos is static analysis only (no RASP or DAST capabilities)

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: api_key
OAuth: No Scopes: No

AI agent features require LLM API key (OpenAI, Anthropic, or Ollama local). Core static analysis requires no credentials.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Apache 2.0 open source. AI-powered remediation incurs LLM API costs. Local LLMs (Ollama) available for zero-cost AI features.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • Go analysis requires a separate standalone binary — not just pip install
  • AI remediation with auto-PR requires GitHub token and write access to the repo
  • Framework-aware exclusions (Flask, Django, FastAPI) require correct project structure detection
  • Performance benchmark comparisons are self-reported against Vulture only; not independently verified
  • LibCST-based safe removal may fail on syntactically unusual or macro-heavy Python code

Alternatives

Vulture Semgrep Bandit ESLint security plugins CodeQL SonarQube

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Skylos.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5215
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered