by op7418
A multi-model AI agent desktop client — connect any AI provider, extend with MCP & skills, control from your phone. Built with Electron + Next.js.
# Add to your Claude Code skills
git clone https://github.com/op7418/CodePilotLast scanned: 4/19/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@anthropic-ai/claude-agent-sdk: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@chevrotain/cst-dts-gen: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@chevrotain/gast: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@hono/node-server: @hono/node-server: Middleware bypass via repeated slashes in serveStatic",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@larksuiteoapi/node-sdk: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@modelcontextprotocol/sdk: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@xmldom/xmldom: xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "axios: Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "chevrotain: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "chevrotain-allstar: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "dagre-d3-es: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "dompurify: DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "electron: Electron: Context Isolation bypass via contextBridge VideoFrame transfer",
"severity": "high"
},
{
"type": "npm-audit",
"message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "hono: Hono missing validation of cookie name on write path in setCookie()",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "langium: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
"severity": "high"
},
{
"type": "npm-audit",
"message": "lodash-es: lodash vulnerable to Code Injection via `_.template` imports key names",
"severity": "high"
},
{
"type": "npm-audit",
"message": "mermaid: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "next: Next.js has a Denial of Service with Server Components",
"severity": "high"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Denial of Service via sequential optional groups",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "protobufjs: Arbitrary code execution in protobufjs",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "wait-on: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "yaml: yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"severity": "medium"
}
],
"status": "FAILED",
"scannedAt": "2026-04-19T06:01:11.303Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": true
}CodePilot is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by op7418. A multi-model AI agent desktop client — connect any AI provider, extend with MCP & skills, control from your phone. Built with Electron + Next.js. It has 6,123 GitHub stars.
CodePilot failed SkillsLLM's automated security scan, which flagged one or more high-severity issues. Review the Security Report section carefully before using it.
Clone the repository with "git clone https://github.com/op7418/CodePilot" and add it to your Claude Code skills directory (see the Installation section above).
CodePilot is primarily written in TypeScript. It is open-source under op7418 on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh CodePilot against similar tools.
No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
A multi-model AI agent desktop client -- connect any AI provider, extend with MCP & skills, control from your phone, and let your assistant learn your workflow.
Download | Quick Start | Documentation | Contributing | Community
| Platform | Download | Architecture |
|---|---|---|
| macOS | Apple Silicon (.dmg) · Intel (.dmg) | arm64 / x64 |
| Windows | Installer (.exe) | x64 + arm64 |
| Linux | Build from source | x64 + arm64 |
Or visit the Releases page for all versions.
Connect to 17+ AI providers out of the box. Switch providers and models mid-conversation without losing context.
| Category | Providers |
|---|---|
| Direct API | Anthropic, OpenRouter |
| Cloud platforms | AWS Bedrock, Google Vertex AI |
| Chinese AI providers | Zhipu GLM (CN/Global), Kimi, Moonshot, MiniMax (CN/Global), Volcengine Ark (Doubao), Xiaomi MiMo, Aliyun Bailian (Qwen) |
| Local & self-hosted | Ollama, LiteLLM |
| Custom | Any Anthropic-compatible or OpenAI-compatible endpoint |
| Media | Google Gemini (image generation) |
CodePilot started as a coding tool but has grown into a general-purpose AI agent desktop:
Note: Installing the Claude Code CLI (
npm install -g @anthropic-ai/claude-code) unlocks additional capabilities like direct file editing, terminal commands, and git operations. It is recommended but not required for basic chat.
| Prerequisite | Minimum version |
|---|---|
| Node.js | 18+ |
| npm | 9+ (ships with Node 18) |
git clone https://github.com/op7418/CodePilot.git
cd CodePilot
npm install
npm run dev # browser mode at http://localhost:3000
# -- or --
npm run electron:dev # full desktop app
| Capability | Details |
|---|---|
| Interaction modes | Code / Plan / Ask |
| Reasoning effort | Low / Medium / High / Max + Thinking mode |
| Permission control | Default / Full Access, per-action approval |
| Session control | Pause, resume, rewind to checkpoint, archive |
| Model switching | Change model mid-conversation |
| Split screen | Side-by-side dual sessions |
| Attachments | Files and images with multimodal vision support |
| Slash commands | /help /clear /cost /compact /doctor /review and more |
| Capability | Details |
|---|---|
| Providers | 17+ providers: Anthropic, OpenRouter, Bedrock, Vertex, Zhipu GLM, Kimi, Moonshot, MiniMax, Volcengine, MiMo, Bailian, Ollama, LiteLLM, custom endpoints |
| MCP servers | stdio / sse / http, runtime status monitoring |
| Skills | Custom / project / global skills, skills.sh marketplace |
| Bridge | Telegram / Feishu / Discord / QQ / WeChat remote control |
| CLI import | Import Claude Code CLI .jsonl session history |
| Image generation | Gemini image gen, batch tasks, gallery |
| Capability | Details |
|---|---|
| Assistant Workspace | Persona files (soul.md, user.md, claude.md, memory.md), onboarding, daily check-ins, persistent memory |
| Generative UI | AI-created interactive dashboards and visual widgets |
| File browser | Project file tree with syntax-highlighted preview |
| Git panel | Status, branches, commits, worktree management |
| Usage analytics | Token counts, cost estimates, daily usage charts |
| Task scheduler | Cron-based and interval scheduling with persistence |
| Local storage | SQLite (WAL mode), all data stays on your machine |
| i18n | English + Chinese |
| Themes | Dark / Light, one-click toggle |
soul.md, user.md, claude.md, and memory.md at the workspace root.npm install -g @anthropic-ai/claude-codemacOS builds are code-signed with a Developer ID certificate but not notarized, so Gatekeeper may still prompt on first launch. Windows and Linux builds are unsigned.
Option 1 -- Right-click CodePilot.app in Finder > Open > confirm.
Option 2 -- System Settings > Privacy & Security > scroll to Security > click Open Anyway.
Option 3 -- Run in Terminal:
xattr -cr /Applications/CodePilot.app
Option 1 -- Click "More info" on the SmartScreen dialog, then "Run anyway".
Option 2 -- Settings > Apps > Advanced app settings > set App Install Control to allow apps from anywhere.
📖 Full documentation: English | 中文
Getting started:
User guides:
Developer docs:
No. You can use CodePilot with any supported provider (OpenRouter, Zhipu GLM, Volcengine, Ollama, etc.) without the Claude Code CLI. The CLI is only needed if you want Claude to directly edit files, run terminal commands, or use git operations on your machine. For chat and assistant features, just configure a provider and start a conversation.
Verify the API key is valid and the endpoint is reachable. Some providers (Bedrock, Vertex) require additional environment variables or IAM configuration beyond the API key. Use the built-in diagnostics (Settings > Providers > Run Diagnostics) to check connectivity.