npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@stranzwersweb2/skillsync-mcp

v1.4.1

Published

SkillSync MCP server — search, scan, install & manage Claude Code skills with built-in security scanning and startup verification

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

stranzwersweb2stranzwersweb2

Keywords

mcpmodel-context-protocolclaudeclaude-codeopenclawcursorwindsurfskillsskillsyncskillsmpmarketplacesecurity-scannersecuritythreat-detectionai-toolsai-agentanthropicprompt-injection

Readme

SkillSync MCP

npm version Smithery License: MIT MCP Compatible Node.js >= 20 Security Patterns

Website | Smithery | npm | GitHub

An MCP (Model Context Protocol) server for SkillsMP -- the marketplace for Claude Code skills. Search, scan for security threats, install, and manage skills directly from your AI assistant.

The only tool that gates skill installation behind a full security scan.

Features

  • Search -- Keyword and AI-powered semantic search across the SkillsMP marketplace
  • Security Scan -- 60+ threat patterns: prompt injection, reverse shells, credential theft, supply chain attacks, crypto mining, obfuscation
  • Install -- Download skills from GitHub to ~/.claude/skills/ with automatic security gate
  • Uninstall -- Clean removal of installed skills
  • Safe Search -- Combined search + auto-scan in one step
  • Installed Skills Registry -- List all installed skills with risk levels and content hashes
  • Deep Audit -- Force a fresh security scan on any installed skill
  • Startup Verification -- Background discovery, content hashing, and fs.watch for live sync

Why SkillSync?

| | Raw git clone | Other Tools | SkillSync MCP | |---|---|---|---| | Security scan before install | No | No | Yes -- 60+ patterns | | Blocks critical threats | No | No | Yes -- prompt injection, RCE, credential theft | | Multi-client support | N/A | Varies | Claude Code, OpenClaw, Cursor, Windsurf, GitHub Copilot, Zed, nanobot | | Marketplace search | Manual | Some | Built-in keyword + AI semantic search | | Startup verification | No | No | Yes -- fs.watch + content hash | | Output sanitization | No | No | Yes -- anti prompt injection |

Tools (13)

| Tool | Description | |------|-------------| | skillsmp_search | Keyword search across SkillsMP marketplace | | skillsmp_ai_search | AI-powered semantic search (Cloudflare AI) | | skillsmp_scan_skill | Security scan a GitHub skill repo (60+ patterns) | | skillsmp_search_safe | Search + auto-scan top results | | skillsmp_install_skill | Scan then install to ~/.claude/skills/ | | skillsmp_uninstall_skill | Remove an installed skill | | skillsmp_list_installed | List all installed skills with risk levels (optional refresh) | | skillsmp_audit_installed | Deep security audit of a specific installed skill | | skillsmp_suggest | AI-powered skill recommendations based on installed skills | | skillsmp_compare | Side-by-side security comparison of two skills | | skillsync_configure | Manage sync subscriptions and settings | | skillsync_sync_now | Run sync cycle: poll, diff, install/update/remove | | skillsync_status | Show sync engine status and schedule |

Compatible With

Works with Claude Code | OpenClaw | Cursor | Windsurf | GitHub Copilot | Zed | nanobot -- any MCP-compatible client

Install

Smithery (one-click)

Smithery

Install via Smithery for automatic configuration with any supported client.

Claude Code

Add to ~/.claude/settings.json:

{
  "mcpServers": {
    "skillsmp": {
      "command": "npx",
      "args": ["-y", "@stranzwersweb2/skillsync-mcp"]
    }
  }
}

OpenClaw

Add to ~/.openclaw/mcp.json:

{
  "mcpServers": {
    "skillsmp": {
      "version": "1.3.0",
      "autoUpdate": false,
      "command": "npx",
      "args": ["-y", "@stranzwersweb2/[email protected]"]
    }
  }
}

OpenClaw uses the same SKILL.md format as Claude Code. Skills installed via this server are compatible with both platforms. OpenClaw users should pin versions and review tool policies per the security hardening guide.

Cursor

Add to .cursor/mcp.json in your project root:

{
  "mcpServers": {
    "skillsmp": {
      "command": "npx",
      "args": ["-y", "@stranzwersweb2/skillsync-mcp"]
    }
  }
}

Windsurf

Add to ~/.windsurf/mcp.json:

{
  "mcpServers": {
    "skillsmp": {
      "command": "npx",
      "args": ["-y", "@stranzwersweb2/skillsync-mcp"]
    }
  }
}

GitHub Copilot

Add to .github/copilot-mcp.json in your project root, or ~/.github/copilot-mcp.json for global config:

{
  "mcpServers": {
    "skillsync": {
      "command": "npx",
      "args": ["-y", "@stranzwersweb2/skillsync-mcp"],
      "env": {
        "SKILLSMP_API_KEY": "your-api-key"
      }
    }
  }
}

Zed

Add to ~/.config/zed/settings.json under the "context_servers" key:

{
  "context_servers": {
    "skillsync": {
      "command": {
        "path": "npx",
        "args": ["-y", "@stranzwersweb2/skillsync-mcp"],
        "env": {
          "SKILLSMP_API_KEY": "your-api-key"
        }
      }
    }
  }
}

Global install

npm install -g @stranzwersweb2/skillsync-mcp

Then reference in any MCP config:

{
  "mcpServers": {
    "skillsmp": {
      "command": "skillsync-mcp"
    }
  }
}

Client Compatibility

| Client | Config Path | Skill Format | |--------|------------|--------------| | Claude Code | ~/.claude/settings.json | SKILL.md in ~/.claude/skills/ | | OpenClaw | ~/.openclaw/mcp.json | SKILL.md (same format, ClawHub registry) | | Cursor | .cursor/mcp.json | MCP tools only | | Windsurf | ~/.windsurf/mcp.json | MCP tools only | | GitHub Copilot | .github/copilot-mcp.json | MCP tools only | | Zed | ~/.config/zed/settings.json | MCP tools only | | nanobot | MCP config | MCP tools only |

Security Model

Installation is gated by a multi-level security scan:

| Risk Level | Behavior | |------------|----------| | Safe / Low | Install proceeds, warnings shown | | Medium / High | Install blocked -- requires force: true to override | | Critical | Install permanently blocked -- no override |

Additional Safety Guards

  • Path traversal prevention on skill names and filenames
  • SSRF prevention -- only github.com URLs accepted
  • npm install --ignore-scripts -- blocks postinstall attacks
  • Max 50 files, 2MB total size limit
  • Binary files skipped, suspicious filenames flagged
  • Content hash for TOCTOU verification
  • Output sanitization -- strips zero-width Unicode, bidi overrides, truncates to prevent prompt injection

How It Works

Search SkillsMP -> Pick a skill -> Security scan (60+ patterns)
                                        |
                              Critical? -> BLOCKED
                              Medium/High? -> Requires force=true
                              Safe/Low? -> Download from GitHub
                                        |
                              Write to ~/.claude/skills/<name>/
                                        |
                              npm install --ignore-scripts (if needed)
                                        |
                              Startup verification (fs.watch + content hash)
                                        |
                              Restart your MCP client to load

Examples

Ask your AI assistant:

Search for git-related skills on SkillsMP
Scan this skill for security issues: https://github.com/user/repo/tree/main/skills/my-skill
Install the commit skill from https://github.com/user/repo/tree/main/skills/commit
List all my installed skills
Run a deep security audit on the commit skill
Uninstall the commit skill

Development

git clone https://github.com/adityasugandhi/skillsync-mcp.git
cd skillsync-mcp
npm install
npm run build
npm run dev    # Watch mode with tsx
npm run test:build  # Build + run tests

Requirements

  • Node.js >= 20
  • Any MCP-compatible client (Claude Code, OpenClaw, Cursor, Windsurf, GitHub Copilot, Zed, nanobot, etc.)

Contributing

Contributions are welcome. Please see CONTRIBUTING.md for guidelines.

  • Browse open issues or look for the good-first-issue label
  • To add new threat detection patterns, see docs/THREAT_PATTERNS.md
  • All PRs must pass the existing test suite (npm run test:build)

Author

Aditya Sugandhi -- adityasugandhi.com | GitHub

Star History

Star History Chart

License

MIT - Aditya Sugandhi