skillsync

SkillSync MCP provides an automated, security-gated workflow for discovering, evaluating, and installing SkillsMP skills from the SkillsMP marketplace. The server exposes a set of tools under the Skillsync bundle, including search capabilities, AI-assisted filtering, and a built-in security scan prior to installation. You can use it to perform keyword or semantic searches across the marketplace, trigger a 60+ point threat scan on candidate skills, and install vetted skills directly into your Claude Code, OpenClaw, Cursor, Windsurf, GitHub Copilot, Zed, or nanobot MCP clients. The server also maintains an Installed Skills Registry with risk levels and content hashes, and provides a deep audit option to re-scan installed skills on demand. To begin, configure SkillSync in your MCP client of choice (Claude Code, OpenClaw, Cursor, Windsurf, Copilot, Zed, or nanobot) using the command pattern shown in the examples, typically via npx to fetch the MCP and run it locally. Once configured, you can perform searches, run auto-scans on top results, and install secured skills into your local skills directory with automatic security gating.

Prerequisites:

• Node.js 20 or greater installed on your system
• npm (comes with Node.js)
• Access to the internet to fetch MCP and dependencies

Installation steps (example using global npm install):

1. Install SkillSync MCP globally so it can be invoked from any MCP client:

npm install -g @stranzwersweb2/skillsync-mcp

2. Verify installation:

skillsync --version

3. Add SkillSync MCP to your MCP client configuration (examples below). If you already have an MCP client configured, you can reference the MCP by the same server key used in your client’s config (e.g., Claude Code, OpenClaw, Cursor, Windsurf, Copilot, Zed, or nanobot).
4. Example client configuration (Claude Code):

{
  "mcpServers": {
    "skillsync": {
      "command": "npx",
      "args": ["-y", "@stranzwersweb2/skillsync-mcp"]
    }
  }
}

5. For other clients, copy the corresponding snippet from the SkillSync README and insert the same server name (skillsync) with the appropriate command and args as shown above. If you want a pinned version, you can specify a version in the args, e.g. @stranzwersweb2/skillsync-mcp@1.3.0, similar to the examples in the readme for other MCP clients.
6. Optionally configure environment variables as needed for specific clients (see Notes).

Notes and tips:

• The SkillSync MCP gates skill installation behind a multi-level security scan (60+ threat patterns) and will block installations that fail the scan unless force: true is used for overrides on non-critical levels.
• You can run a Deep Audit of installed skills to force a fresh security scan.
• When using Copilot or Zed integrations, you may need to supply an API key via environment variable SKILLSMP_API_KEY in the MCP config (or the client’s env section) to enable access to the SkillsMP API for search or recommendations.
• SkillSync keeps an Installed Skills Registry with risk levels and content hashes for integrity checks.
• For best results, pin SkillSync MCP versions in clients that support versioned installs to avoid breaking changes (e.g., @stranzwersweb2/skillsync-mcp@1.3.0).
• If you run into issues with npm install --ignore-scripts or postinstall steps, ensure you’re using a clean environment or isolated node version manager and verify your network policies allow npm registry access.