Check if a specific dependency has known vulnerabilities or malware using Endor Labs. Use when the user names a package and wants to know if it's safe, says "check lodash", "is express vulnerable", "any CVEs in django", "endor check", "is this package safe", or provides a package name after installing a dependency. Do NOT use for scanning an entire repo (/endor-scan) or viewing existing findings (/endor-findings).

Analyze the impact of upgrading a dependency before you do it. Use when the user says "should I upgrade lodash", "what breaks if I update express", "upgrade impact", "endor upgrade", "breaking changes from upgrading", or wants to find the safest version that fixes vulnerabilities. Uses pre-computed Endor Labs data — no scanning required. Do NOT use for just checking vulnerabilities (/endor-check) or applying a fix (/endor-fix).

Generate production-quality colorful icon sets using Google Imagen 4. Use this skill when the user needs custom app icons, emoji-style icons, cartoon icons, or any colorful icon set. Takes a project description, suggests icons, generates 1024px PNGs via Imagen 4, removes backgrounds, downscales to all target sizes, and delivers a review gallery for iterative refinement. Trigger on: "icon set", "generate icons", "app icons", "custom icons", "colorful icons", "cartoon icons", "emoji icons", "make icons", "icon generation", "imagen icons", or any request for a set of colorful visual assets.

Use for anything AI/agent/conversational built on Algolia: algobot CLI, Agent Studio, RAG systems, conversational product discovery, genAI content generation from search results (carousels, descriptions, headers), chatbots or recommendation agents using Algolia as retrieval, config-as-code workflows, multi-environment deploy (dev/staging/prod), memory and personalization, MCP tool integrations, conversation history / GDPR retention, or adding a chat widget alongside InstantSearch. Trigger on: "algobot", "Agent Studio", "RAG with Algolia", "conversational experience", "AI agent" + Algolia, "genAI carousel", "chat widget", or building AI features on top of Algolia search. Do NOT use for raw index ops (records, synonyms, settings) — use algolia-cli. Do NOT use for pure frontend search UI (InstantSearch, autocomplete) with no AI/agent layer.

Four lifecycle hooks every agent runs: on-session-start scans LESSONS-LEARNED.md, resumes checkpoints; on-pre-delegate verifies tracker issues, file partitions; on-post-delegate runs fast-review, CI checks; on-session-end executes session guard, writes logs. Use when starting a new session, running pre-flight checks before delegation, coordinating between agents, reviewing a completed handoff, or wrapping up a session. Trigger terms: multi-agent setup, delegate tasks, agent coordination, session management, run pre-flight checks, start a new session, coordinate between agents, wrap up session

Creates API route handlers, implements Server Actions with Zod schema validation, integrates external REST APIs with error handling. Use when adding endpoints, building request handlers, or wiring external services (endpoint, REST API, request handling, fetch, .ts route files).

Resolves task dependencies, generates machine-actionable delegation specs, structures phased subtask plans for multi-agent work. Use when writing delegation specs, resolving task dependencies, building phased subtask plans for multi-agent work, assigning work to sub-agents, or partitioning a feature into parallelizable phases.

Implement Apollo.io reference architecture. Use when designing Apollo integrations, establishing patterns, or building production-grade sales intelligence systems. Trigger with phrases like "apollo architecture", "apollo system design", "apollo integration patterns", "apollo best practices architecture".

Execute use when provisioning Vertex AI infrastructure with Terraform. Trigger with phrases like "vertex ai terraform", "deploy gemini terraform", "model garden infrastructure", "vertex ai endpoints terraform", or "vector search terraform". Provisions Model Garden models, Gemini endpoints, vector search indices, ML pipelines, and production AI services with encryption and auto-scaling.

Validate use when validating GitHub Actions workflows for Google Cloud and Vertex AI deployments. Trigger with phrases like "validate github actions", "setup workload identity federation", "github actions security", "deploy agent with ci/cd", or "automate vertex ai deployment". Enforces Workload Identity Federation (WIF), validates OIDC permissions, ensures least privilege IAM, and implements security best practices.

Execute use when provisioning Vertex AI ADK infrastructure with Terraform. Trigger with phrases like "deploy ADK terraform", "agent engine infrastructure", "provision ADK agent", "vertex AI agent terraform", or "code execution sandbox terraform". Provisions Agent Engine runtime, 14-day code execution sandbox, Memory Bank, VPC Service Controls, IAM roles, and secure multi-agent infrastructure.

Automates browser interactions for web testing, form filling, screenshots, and data extraction. Use when the user needs to navigate websites, interact with web pages, fill forms, take screenshots, test web applications, or extract information from web pages.

Use when you need to run interactive CLI tools (vim, git rebase -i, Python REPL, etc.) that require real-time input/output - provides tmux-based approach for controlling interactive sessions through detached sessions and send-keys

Translates Python functions into Dafny, adding types, pre/postconditions, and loop invariants sufficient for Dafny to verify. Use when formally verifying a Python algorithm, when the user wants machine-checked correctness for a critical function, or when building a verified reference implementation.

Finds and safely removes code that is never executed — unreachable branches, uncalled functions, unused classes, dead feature flags. Use when cleaning up after a feature removal, when the user suspects the codebase has accumulated cruft, or when reducing build/bundle size.

Uses mutation testing to find weak assertions and missing tests — injects small bugs and checks if the suite catches them, then generates tests targeting the surviving mutants. Use when coverage is high but bugs still ship, when auditing test quality, or when deciding if the suite is good enough.

Finds and removes redundant tests — tests that cover the same code, kill the same mutants, or assert the same behavior — to shrink suite runtime without losing coverage. Use when the test suite is slow, when tests have accumulated over years of copy-paste, or when CI costs are too high.

Generates configuration files for services and tools (app config, logging config, linter config, database config) from a brief description of desired behavior, matching the target format's idioms. Use when bootstrapping a new service, when the user asks for a config file for a specific tool, or when translating config intent between formats.

Advises on rollback strategies by analyzing what a deploy changes — recommending revert, roll-forward, feature-flag kill, or data repair depending on reversibility. Use during an incident when a deploy went bad, when designing a deploy pipeline and the user asks how to make it reversible, or when a migration needs an undo plan.

Generates unit tests for a function or class by analyzing branches, boundaries, and error paths — then emits test code in the project's existing framework and style. Covers happy path, edge cases, and failure modes with mocks for external dependencies. Use when writing tests for new code, when backfilling coverage on untested functions, when the user asks to generate tests, or when a coverage report shows specific gaps.