SkillSync MCP

@adityasugandhi

Visit Server

9 days ago

The only MCP server that gates skill installation behind a full security scan. 60+ threat patterns, 13 MCP tools, and support for 7 clients including Claude Code, Cursor, Windsurf, and GitHub Copilot. Features AI-powered search, cloud sync, and startup verification with SHA-256 content hashing.

Overview Tools Comments

Overview

SkillSync MCP

The only MCP server that gates skill installation behind a full security scan.

SkillSync MCP is a security-first skill management server for AI coding assistants. Before any skill is installed, it runs a comprehensive threat analysis across 60+ patterns covering 15 attack categories.

Key Features

Security Scanning

Every installation is gated by a multi-level security scan across 60+ threat patterns in 15 categories: prompt injection, Unicode homoglyphs, reverse shells, credential theft, supply chain attacks, crypto mining, RCE, obfuscation, and privilege escalation. Critical threats are permanently blocked with no override possible.

Cloud Sync

Subscribe to search queries and auto-sync skills across machines. Configurable risk thresholds, conflict policies, and dry-run previews. Lock file support for managed vs manual skill tracking.

AI-Powered Search

Keyword and semantic search across the SkillsMP marketplace powered by Cloudflare AI. Smart suggestions based on your installed skills. Side-by-side skill comparison with security diffs.

Skill Management

Install, uninstall, list, and audit skills. Startup verification with fs.watch and SHA-256 content hashing. TOCTOU protection. npm install --ignore-scripts for supply chain safety.

13 MCP Tools

Tool	Category	Description
`skillsmp_search`	Search	Keyword search
`skillsmp_ai_search`	Search	AI semantic search
`skillsmp_search_safe`	Search	Search + auto-scan
`skillsmp_suggest`	Search	AI suggestions
`skillsmp_scan_skill`	Security	Security scan
`skillsmp_compare`	Security	Side-by-side compare
`skillsmp_audit_installed`	Security	Deep audit
`skillsmp_install_skill`	Management	Install skill
`skillsmp_uninstall_skill`	Management	Uninstall skill
`skillsmp_list_installed`	Management	List installed skills
`skillsync_configure`	Cloud Sync	Configure sync
`skillsync_sync_now`	Cloud Sync	Run sync
`skillsync_status`	Cloud Sync	Sync status

Quick Start

npx -y @stranzwersweb2/skillsync-mcp

Add to ~/.claude/settings.json:

{
  "mcpServers": {
    "skillsmp": {
      "command": "npx",
      "args": ["-y", "@stranzwersweb2/skillsync-mcp"]
    }
  }
}

Supported Clients

Claude Code - ~/.claude/settings.json
OpenClaw - ~/.openclaw/mcp.json
Cursor - .cursor/mcp.json
Windsurf - ~/.windsurf/mcp.json
GitHub Copilot - .github/copilot-mcp.json
Zed - ~/.config/zed/settings.json
nanobot - MCP config

Security Model

Risk Level	Behavior
Safe / Low	Installs with warnings shown
Medium / High	Blocked - requires `force=true` to override
Critical	Permanently blocked - no override possible

Additional Safety Guards

Path traversal prevention on skill names and filenames
SSRF prevention - only github.com URLs accepted
npm install --ignore-scripts blocks postinstall attacks
Max 50 files, 512KB per file, 2MB total size limit
Output sanitization strips zero-width Unicode and bidi overrides
15-minute scan cache with 100-entry LRU eviction
fs.watch startup verification with debounced re-scanning

Links

Author: Aditya Sugandhi | License: MIT | Version: v1.3.0

Try in Playground

Server Config

{
  "mcpServers": {
    "skillsmp": {
      "command": "npx",
      "args": [
        "-y",
        "@stranzwersweb2/skillsync-mcp"
      ]
    }
  }
}

Build with ShipAny.