SkillSync MCP
Uses Cloudflare AI for semantic search across the SkillsMP marketplace to find relevant skills based on natural language queries.
Enables scanning and installing skills from GitHub repositories, with security checks and automatic download to the skills directory.
Works with GitHub Copilot as an MCP-compatible client to search, scan, install, and manage skills via the SkillsMP marketplace.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@SkillSync MCPsearch for pdf summarization skills"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
SkillSync MCP
Website | Smithery | npm | GitHub
An MCP (Model Context Protocol) server for SkillsMP -- the marketplace for Claude Code skills. Search, scan for security threats, install, and manage skills directly from your AI assistant.
The only tool that gates skill installation behind a full security scan.
Features
Search -- Keyword and AI-powered semantic search across the SkillsMP marketplace
Security Scan -- 60+ threat patterns: prompt injection, reverse shells, credential theft, supply chain attacks, crypto mining, obfuscation
Install -- Download skills from GitHub to
~/.claude/skills/with automatic security gateUninstall -- Clean removal of installed skills
Safe Search -- Combined search + auto-scan in one step
Installed Skills Registry -- List all installed skills with risk levels and content hashes
Deep Audit -- Force a fresh security scan on any installed skill
Startup Verification -- Background discovery, content hashing, and
fs.watchfor live sync
Related MCP server: Skillz
Why SkillSync?
Raw | Other Tools | SkillSync MCP | |
Security scan before install | No | No | Yes -- 60+ patterns |
Blocks critical threats | No | No | Yes -- prompt injection, RCE, credential theft |
Multi-client support | N/A | Varies | Claude Code, OpenClaw, Cursor, Windsurf, GitHub Copilot, Zed, nanobot |
Marketplace search | Manual | Some | Built-in keyword + AI semantic search |
Startup verification | No | No | Yes -- fs.watch + content hash |
Output sanitization | No | No | Yes -- anti prompt injection |
Tools (13)
Tool | Description |
| Keyword search across SkillsMP marketplace |
| AI-powered semantic search (Cloudflare AI) |
| Security scan a GitHub skill repo (60+ patterns) |
| Search + auto-scan top results |
| Scan then install to |
| Remove an installed skill |
| List all installed skills with risk levels (optional refresh) |
| Deep security audit of a specific installed skill |
| AI-powered skill recommendations based on installed skills |
| Side-by-side security comparison of two skills |
| Manage sync subscriptions and settings |
| Run sync cycle: poll, diff, install/update/remove |
| Show sync engine status and schedule |
Compatible With
Works with Claude Code | OpenClaw | Cursor | Windsurf | GitHub Copilot | Zed | nanobot -- any MCP-compatible client
Install
Smithery (one-click)
Install via Smithery for automatic configuration with any supported client.
Claude Code
Add to ~/.claude/settings.json:
{
"mcpServers": {
"skillsmp": {
"command": "npx",
"args": ["-y", "@stranzwersweb2/skillsync-mcp"]
}
}
}OpenClaw
Add to ~/.openclaw/mcp.json:
{
"mcpServers": {
"skillsmp": {
"version": "1.3.0",
"autoUpdate": false,
"command": "npx",
"args": ["-y", "@stranzwersweb2/skillsync-mcp@1.3.0"]
}
}
}OpenClaw uses the same
SKILL.mdformat as Claude Code. Skills installed via this server are compatible with both platforms. OpenClaw users should pin versions and review tool policies per the security hardening guide.
Cursor
Add to .cursor/mcp.json in your project root:
{
"mcpServers": {
"skillsmp": {
"command": "npx",
"args": ["-y", "@stranzwersweb2/skillsync-mcp"]
}
}
}Windsurf
Add to ~/.windsurf/mcp.json:
{
"mcpServers": {
"skillsmp": {
"command": "npx",
"args": ["-y", "@stranzwersweb2/skillsync-mcp"]
}
}
}GitHub Copilot
Add to .github/copilot-mcp.json in your project root, or ~/.github/copilot-mcp.json for global config:
{
"mcpServers": {
"skillsync": {
"command": "npx",
"args": ["-y", "@stranzwersweb2/skillsync-mcp"],
"env": {
"SKILLSMP_API_KEY": "your-api-key"
}
}
}
}Zed
Add to ~/.config/zed/settings.json under the "context_servers" key:
{
"context_servers": {
"skillsync": {
"command": {
"path": "npx",
"args": ["-y", "@stranzwersweb2/skillsync-mcp"],
"env": {
"SKILLSMP_API_KEY": "your-api-key"
}
}
}
}
}Global install
npm install -g @stranzwersweb2/skillsync-mcpThen reference in any MCP config:
{
"mcpServers": {
"skillsmp": {
"command": "skillsync-mcp"
}
}
}Client Compatibility
Client | Config Path | Skill Format |
Claude Code |
|
|
OpenClaw |
|
|
Cursor |
| MCP tools only |
Windsurf |
| MCP tools only |
GitHub Copilot |
| MCP tools only |
Zed |
| MCP tools only |
nanobot | MCP config | MCP tools only |
Security Model
Installation is gated by a multi-level security scan:
Risk Level | Behavior |
Safe / Low | Install proceeds, warnings shown |
Medium / High | Install blocked -- requires |
Critical | Install permanently blocked -- no override |
Additional Safety Guards
Path traversal prevention on skill names and filenames
SSRF prevention -- only
github.comURLs acceptednpm install --ignore-scripts-- blockspostinstallattacksMax 50 files, 2MB total size limit
Binary files skipped, suspicious filenames flagged
Content hash for TOCTOU verification
Output sanitization -- strips zero-width Unicode, bidi overrides, truncates to prevent prompt injection
How It Works
Search SkillsMP -> Pick a skill -> Security scan (60+ patterns)
|
Critical? -> BLOCKED
Medium/High? -> Requires force=true
Safe/Low? -> Download from GitHub
|
Write to ~/.claude/skills/<name>/
|
npm install --ignore-scripts (if needed)
|
Startup verification (fs.watch + content hash)
|
Restart your MCP client to loadExamples
Ask your AI assistant:
Search for git-related skills on SkillsMPScan this skill for security issues: https://github.com/user/repo/tree/main/skills/my-skillInstall the commit skill from https://github.com/user/repo/tree/main/skills/commitList all my installed skillsRun a deep security audit on the commit skillUninstall the commit skillDevelopment
git clone https://github.com/adityasugandhi/skillsync-mcp.git
cd skillsync-mcp
npm install
npm run build
npm run dev # Watch mode with tsx
npm run test:build # Build + run testsRequirements
Node.js >= 20
Any MCP-compatible client (Claude Code, OpenClaw, Cursor, Windsurf, GitHub Copilot, Zed, nanobot, etc.)
Contributing
Contributions are welcome. Please see CONTRIBUTING.md for guidelines.
Browse open issues or look for the
good-first-issuelabelTo add new threat detection patterns, see docs/THREAT_PATTERNS.md
All PRs must pass the existing test suite (
npm run test:build)
Author
Aditya Sugandhi -- adityasugandhi.com | GitHub
Star History
License
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/adityasugandhi/skillsync-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server