v1.0 live
Built for teams shipping with Cursor, Copilot, and Claude Code

Catch what AIwrites wrong.Catch what itsilently removes.

Skylos is the open source Python security and static analysis tool for teams shipping AI-generated code.Find dead code, hallucinated imports, risky patterns, and removed auth, CSRF, or rate-limit controls before merge, and add guardrails around MCP-driven workflows.

Run your first scanSee proof

Local scan is free — run skylos . -a on a repo you care about. No login required.

Open source CLI, no signup required
Try locally first, then add PR gates
Framework-aware for Django, Flask, FastAPI, and Pydantic
Maintainer-validated proof

Merged cleanup PRs into Black, networkx, mitmproxy, pypdf, and Flagsmith.

This is stronger than a testimonial: maintainers reviewed the findings, merged the changes, and kept the code.

Run your first scan
snippet.py
Findings2
HIGHSKY-D211

Possible SQL injection: tainted input appears interpolated into SQL execute()

snippet.py:7
Source
def search_users(conn):
    q = request.args.get("q")
    sql = f"SELECT * FROM users WHERE name = '{q}'"
    cur = conn.cursor()
    cur.execute(sql)
    return cur.fetchall()
Run on your repo
$ skylos . --danger --quality --upload

Lightweight demo — full scanner uses repo context and 200+ rules.

Get started free

Proof before promises

These numbers come from benchmarks, case studies, and reproducible scans already published on the site.

Maintainer validation
5 repos

Merged cleanup PRs into real Python libraries

Black, networkx, mitmproxy, pypdf, and Flagsmith all merged findings generated from Skylos output.

Review merged PR proof
Flask case study
21x

Fewer false positives than Vulture

Manual review on Flask found 7/7 dead items, with 12 false positives instead of 260.

Read case study
9-repo benchmark
98.1%

Recall on popular Python repos

Across 9 repositories with 350k+ combined stars, Skylos reached 98.1% recall with 220 false positives vs Vulture's 644.

Compare the benchmark
Verification accuracy
35/35

LLM verification matched Claude Code

Real-world verification benchmark on pip-tools, tox, and mesa for findings you can trust before opening a PR.

See verification proof

What teams use Skylos to catch

The value is not generic linting. It is catching believable mistakes before they merge.

Removed security controls

Catch when refactors remove auth decorators, CSRF checks, rate limits, or other security controls that reviewers miss.

Hallucinated AI code

Find hallucinated imports, phantom calls, insecure defaults, and hardcoded secrets in AI-assisted code before merge.

Dead code in real Python apps

Reduce Vulture-style noise across Django, Flask, FastAPI, Pydantic, and pytest instead of maintaining giant ignore lists.

Local scan to PR gate

Start with skylos . -a. When it earns trust on a real repo, add skylos cicd init for repeatable GitHub enforcement.

See It in Action

Watch how Skylos scans your codebase and integrates into your CI/CD pipeline.

What people are saying

Loved by developers

T
Tryolabs
Top Python Libraries 2025
“Skylos assigns confidence scores (0–100)to its findings… particularly useful for framework code like Flask routes, Django models, or FastAPI endpoints that may appear unused but are actually invoked externally.”

Read on Tryolabs →

in
Banias Baabe
LinkedIn
“Skylos is a static analysis tool that detects unused Python code with higher accuracy than existing solutions. Identifies unused functions, classes, methods, and imports that Flake8, Pylint, and Vulture miss.”

View on LinkedIn →

r/Python
33 upvotes
“This looks really useful! Having quality issues + secrets bundled in is nice. Does it handle dynamic importswell?”

View on Reddit →

D
DEV Community
Python Code Quality Guide
“Sniffs out unused code and security smells before they fester. It’s proactive pruning with a safety net.

Read on DEV →

Real Python
@realpython
“skylos: Detect Dead Code”Shared to 500K+ Python developers

View on X →

D
DEV Community
Tool Comparison Guide
“Skylos shines in hybrid dead-code/security scans—think catching unused funcs that leak secrets.”

Read on DEV →

Open source on GitHub
300+ stars

Benchmark: Skylos vs Vulture

We tested both tools against a realistic FastAPI + Pydantic codebase seeded with known dead code. The goal: Measure detection accuracy in a modern Python stack.

Test Methodology

We ran both tools on a standard service architecture containing:

  • 29 seeded bugs: Unused imports, functions, and variables.
  • Framework magic: FastAPI routers, Pydantic models, and Pytest fixtures (which often trigger false positives).

The Takeaway

Vulture is faster (0.1s) but "dumb": it missed 17% of the dead code and flagged used code as dead.

Skylos found 100% of the dead code with higher precision, taking ~1.6s to parse the full AST context.

MetricSkylosVulture
True Positives
Correctly found dead code
29 / 2924 / 29
False Negatives
Missed bugs (Lower is better)
05
Precision
Accuracy of findings
70.7%
50.0%
Recall
Detection rate
100%
82.8%
Execution Time1.67s0.10s

* Benchmark data collected Feb 2026 on Apple Silicon M3.

Try it locally. Gate it in CI when it earns trust.

The first run should take seconds. The second step is CI only after you see signal on a real repo.

1

Install CLI

$ pip install skylos

Start locally with no login, no repo connection, and no workflow changes.

2

Run your first scan

$ skylos . -a

Scan for dead code, security issues, and AI-generated regressions on a repo you already care about.

3

Add PR gates when ready

$ skylos cicd init

Generate GitHub Actions setup and block risky merges once the local scan is already useful.

Guides, Comparisons & Use Cases

Learn how Python teams use Skylos for security scanning, dead code detection, secure GitHub Actions, MCP-connected AI agents, and diff-aware AI code review.

Use Cases

All use cases

Tool Comparisons

All comparisons

Latest from the Blog

All articles

Docs & Reference

Read the docs

Frequently Asked Questions

How does Skylos detect hardcoded secrets?+

Skylos scans your codebase and git history using entropy analysis and pattern matching to find API keys, tokens, and passwords before they are pushed to production.

Why does Skylos take ~1.5s compared to Vulture?+

Vulture scans text (regex). Skylos scans logic (AST). We trade 1 second of computer time to save you hours of human time triage. We filter out false positives from FastAPI routes, Pydantic models, and Pytest fixtures automatically.

Is this a replacement for SonarQube or Snyk?+

Skylos is a lightweight, zero-config alternative focused specifically on Python. Unlike heavy enterprise SAST tools, Skylos runs in <3 seconds and is designed for immediate feedback in local CLI and PR checks.

Can I automate Python security checks in GitHub Actions?+

Yes. Skylos is designed for CI/CD. You can use it to gate pull requests, ensuring no dead code or security vulnerabilities merge into your main branch.

Can Skylos review Claude Code or Cursor output?+

Yes. You can run Skylos locally before commit, scan diffs in pull requests, and use Skylos in AI-assisted workflows where Claude Code, Cursor, or other agents are generating Python changes.

See how public repos score before you scan your own

Skylos Judge turns public repos into pinned scorecards for security, quality, and dead code. The scoring is static and deterministic, not LLM-generated.

Python

psf/black

Read a pinned Judge scorecard for a real production repo, with a visible scan date and commit SHA.

Open Judge
Python

networkx/networkx

Use public scorecards to understand how Skylos presents security, quality, and dead-code signal before connecting your own repo.

Open Judge
Python

mitmproxy/mitmproxy

Judge pages are meant to be public, crawlable, and deterministic, so the score always ties back to a real pinned snapshot.

Open Judge
Browse JudgeScan your repo

Open source locally. Use cloud when you need workflow.

The CLI works without login. Credits apply when you upload scans, compare history, or run AI-assisted cloud actions.

OSS CLI

Best for trying Skylos on a repo today.

  • pip install skylos
  • Local scans, JSON output, and SARIF
  • No login required
Run your first scan
Cloud dashboard

Best for history, suppressions, scan compare, and shared visibility.

  • Upload scans for trends, history, and triage
  • Shared findings, suppressions, and exports
  • Credits used for uploads and AI-assisted workflows
Connect a repo
GitHub and teams

Best once the local scan is already useful and you want repeatable enforcement.

  • PR gates, inline comments, and scan comparison
  • Slack or Discord notifications and team workflows
  • Compliance reports, governance, and higher limits
See CI setup

Credits for cloud workflows

Local CLI scans stay free. Buy credits when you want uploads, history, PR automation, or AI-assisted actions. No subscriptions.

Most Popular

Cloud workflow

Buy credits when you need shared history and automation

$9/ 500 credits
  • Local CLI stays free and unlimited
  • Upload scans to the dashboard
  • Scan compare, trends, and finding history
  • Inline PR comments and team collaboration
  • Slack and Discord notifications
  • AI triage and PR auto-fix (coming soon)
  • Credits never expire
Connect GitHub

Starts with credits, then grows with usage.

Team and enterprise

For higher limits, rollout help, and procurement

Custom
  • Everything in Cloud workflow
  • Unlimited credits
  • More projects, scans, and longer history
  • Advanced gates and exports (coming soon)
  • Shared workspace, integrations, and governance
  • Contact for rollout support and procurement
Book a Demo

Run it on one repo you care about

Start locally with no login. If the findings are useful, add skylos cicd init to gate pull requests later.

Run your first scanSee maintainer proof