by cynative
Deep cybersecurity research agent for your cloud, code and runtime - ask your infrastructure anything. Read-only, sandboxed.
# Add to your Claude Code skills
git clone https://github.com/cynative/cynativecynative is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by cynative. Deep cybersecurity research agent for your cloud, code and runtime - ask your infrastructure anything. Read-only, sandboxed. It has 57 GitHub stars.
cynative's catalog security scan is still queued. You can run an instant dependency and prompt-injection check now with the "Scan for vulnerabilities" button above.
Clone the repository with "git clone https://github.com/cynative/cynative" and add it to your Claude Code skills directory (see the Installation section above).
cynative is primarily written in Go. It is open-source under cynative on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh cynative against similar tools.
No comments yet. Be the first to share your thoughts!
Unlocks once the catalog security scan passes (runs nightly).
The deep catalog scan for this skill is still queued. Run an instant dependency check now instead.
Ask your infrastructure anything. Cynative runs frontier models across your code, cloud and runtime - reasoning through GitHub, GitLab, AWS, GCP, Azure and Kubernetes as one system - and comes back with verified answers.
cynative "what in my cloud is publicly exposed that shouldn't be?"
It writes and runs code in an ephemeral sandbox, querying your APIs in parallel, so one question fans out across your whole stack. Every finding is cross-checked and traced back to its origin.
Unlike coding agents and MCP servers, it's read-only by construction: every call is gated and authorized before a credential is attached - point it at production with confidence.
Install and set an LLM:
brew install cynative/tap/cynative
export CYNATIVE_LLM_PROVIDER=anthropic
export CYNATIVE_LLM_MODEL=claude-opus-4-8
export ANTHROPIC_API_KEY=...
Then give it any research task - it picks up the credentials already in your shell:
cynative -p "which IAM roles can escalate to admin?"
cynative -p "high-risk cloud permissions, trace each to the PR where it was granted"
cynative -p "cloud credentials leaked in source code and their current blast radius"
cynative "live cloud resources absent from IaC - drift" # starts an interactive session
| Coding agent + MCPs | Cynative | |
|---|---|---|
| Throughput | One action per call | Writes sandboxed code that fans out calls concurrently - fewer tokens, faster answers |
| Findings | Unverified output | Verifier cross-checks every finding against live evidence |
| Read-only | Opt-in read filter | On by default, fails closed - required IAM actions checked against a security-audit policy. secretsmanager:GetSecretValue is an IAM Read: a filter allows it, SecurityAudit blocks it |
| Credentials | Ambient, unchanged | STS session scoped to read-only - AWS enforces the boundary too |
| Blast radius | Your shell, any network | Research code runs in a sandbox with no host access, network pinned to your mapped services |
| Secrets | Sent to the model as-is | Redacted from tool output before it's sent to the model |
| Supply chain | Third-party MCPs and skills running with your creds | One open-source binary, connectors built in |
| Audit trail | Scattered session logs, best effort | Fail-closed JSONL log of every tool call - if it can't record, it aborts |
Homebrew (macOS / Linux - recommended):
brew install cynative/tap/cynative
Install script (macOS / Linux - verifies the download's SHA-256 against the release checksums.txt, failing closed):
curl -fsSL https://raw.githubusercontent.com/cynative/cynative/main/install.sh | sh
Windows (Scoop):
scoop bucket add cynative https://github.com/cynative/scoop-bucket
scoop install cynative
Update / uninstall
| Method | Update | Uninstall |
|---|---|---|
| Homebrew | brew upgrade cynative |
brew uninstall cynative |
| Install script | re-run the one-liner | curl -fsSL https://raw.githubusercontent.com/cynative/cynative/main/install.sh | sh -s -- --uninstall |
| Scoop | scoop update cynative |
scoop uninstall cynative |
Windows (PowerShell script): irm https://raw.githubusercontent.com/cynative/cynative/main/install.ps1 | iex; uninstall with & ([scriptblock]::Create((irm https://raw.githubusercontent.com/cynative/cynative/main/install.ps1))) -Uninstall.
Install-script options: pin a version with CYNATIVE_VERSION=v1.0.0; change the target directory with CYNATIVE_INSTALL_DIR (default ~/.local/bin, no sudo). The script checks the GitHub release attestation when gh is installed (advisory by default); set CYNATIVE_REQUIRE_ATTESTATION=1 to make a failed check fatal. For a high-integrity install, fetch the script from an immutable tag instead of main.
macOS (manual): download cynative_Darwin_arm64.pkg (Apple Silicon) or cynative_Darwin_x86_64.pkg (Intel) from the releases page and install with sudo installer -pkg <file> -target / (or double-click). These are signed, notarized and stapled - no first-run Gatekeeper prompt. The raw cynative_Darwin_*.tar.gz archives remain for scripting/CI; a quarantined tarball binary's first GUI launch needs internet for the online notarization check (terminal/install.sh/Homebrew use is unaffected).
Linux / Windows (manual): download a prebuilt binary and checksums.txt from the releases page, verify the SHA-256, and put the binary on your PATH. Single static binary, no dependencies.
Cynative talks to LLMs through the embedded Bifrost SDK and supports 23+ AI providers out of the box (OpenAI, Anthropic, Azure OpenAI, Amazon Bedrock, Google Vertex/Gemini, Cohere, Mistral, Groq, Ollama, vLLM and more). Pick one from docs/providers/README.md and follow that provider's guide.
# Google Vertex
export CYNATIVE_LLM_PROVIDER=vertex
export CYNATIVE_LLM_MODEL=gemini-3.1-pro-preview
export CYNATIVE_LLM_VERTEX_PROJECT_ID=my-gcp-project
export CYNATIVE_LLM_VERTEX_REGION=global
# CI / no gcloud: export GOOGLE_APPLICATION_CREDENTIALS=/path/to/sa.json
# OpenAI
export CYNATIVE_LLM_PROVIDER=openai
export CYNATIVE_LLM_MODEL=gpt-5.5
export OPENAI_API_KEY=sk-...
# Amazon Bedrock - AWS credential chain
export CYNATIVE_LLM_PROVIDER=bedrock
export CYNATIVE_LLM_MODEL=anthropic.claude-opus-4-8
export CYNATIVE_LLM_BEDROCK_REGION=us-east-1
# Azure OpenAI - endpoint via env, no YAML needed
export CYNATIVE_LLM_PROVIDER=azure
export CYNATIVE_LLM_MODEL=my-gpt-5.5-prod-deployment
export AZURE_OPENAI_API_KEY=...
export CYNATIVE_LLM_AZURE_ENDPOINT=https://my-resource.openai.azure.com
# Local Ollama
export CYNATIVE_LLM_PROVIDER=ollama
export CYNATIVE_LLM_MODEL=nemotron-cascade-2
export CYNATIVE_LLM_OLLAMA_URL=http://localhost:11434
For multi-key load balancing, custom retry behavior, proxy configuration, or any other Bifrost feature, write a YAML file:
llm:
provider: openai
model: gpt-5.5
api_key: env.OPENAI_API_KEY
network_config: # common fields shown; see schemas.NetworkConfig for the full set
base_url: https://my-proxy.example.com/v1
default_request_timeout_in_seconds: 60
max_retries: 3
extra_headers:
x-tenant: prod
See docs/providers/ for every supported provider's configuration reference.
cynative with no arguments opens an interactive session (full line editing and history with arrow keys); cynative "task" runs the task then stays interactive; -p / --print runs a single task non-interactively and exits - for scripts and pipes (e.g. cat main.tf | cynative -p "review this Terraform for misconfigurations").
Cynative calls your stack using the credentials already in your shell - it keeps no separate credential store. Always provide the least-privileged, read-only credential needed.
Approvals: each tool call waits for a single keystroke: y runs it once, a clears every later call to that tool for the session (scripts still print before running), any other key denies. With no controlling terminal, use --auto-approve.
Stopping mid-task: while a task is running, press Esc or Ctrl-C once to gracefully stop it (the agent finishes any already-running call, then stops and prints โธ Stopped). When the agent hits repeated tool errors or rejections it stops automatically, summarizes what it is blocked on, and asks for the missing information.
Cynative prints a short operational footer (timing, token usage) to stderr - redirecting stdout (cynative -p "..." > out.txt) keeps the captured answer clean. --version prints version, commit, build date, Go version, and platform.