endor-ai-sast

Fetch and display AI-powered SAST findings from the Endor Labs platform. Default path is summary-only (aggregated counts + clusters); full masked listing runs only when the user asks to drill down (speed and token use). Use when the user says "AI SAST results", "AI SAST findings", "AI static analysis", "endor ai sast", "show AI SAST", or wants pre-computed AI-driven code security findings. Do NOT use for running a new SAST scan (/endor-sast), viewing general findings (/endor-findings), or explaining a specific CVE (/endor-explain).

Quality

88%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Advisory

Suggest reviewing before use

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured, highly actionable skill with an excellent two-phase workflow design that minimizes token usage at runtime. The workflow clarity is strong with explicit gates, short-circuits, and validation steps. The main weakness is that large lookup tables (short-title mappings, remediation suggestions) are inlined rather than placed in reference files, making the skill body longer than necessary and hurting both conciseness and progressive disclosure.

Suggestions

Move the short-title mapping table and remediation suggestion table into a reference file (e.g., references/cluster-mappings.md) and reference it from the main skill body to improve conciseness and progressive disclosure.

Consider moving the Phase 2 detailed presentation instructions (4c, full field descriptions) into a separate reference file since they are only needed on drill-down, aligning the file structure with the two-phase runtime design.

Dimension	Reasoning	Score
Conciseness	The skill is quite long (~250+ lines) with extensive tables for short-title mappings and remediation suggestions that could be in a reference file. However, most content is actionable and non-trivial — it doesn't explain basic concepts Claude knows. The mapping tables are borderline: useful but bulky inline.	2 / 3
Actionability	Every step has executable bash commands with exact CLI flags, filter syntax, and jq parsing expressions. The narrowing filter examples in 3c are concrete and copy-paste ready. Presentation templates with markdown table formats are fully specified.	3 / 3
Workflow Clarity	The two-phase workflow is clearly sequenced with explicit gates (short-circuit on zero findings, 'do not run 3c until user requests'). Each step has prerequisites ('Only run this after Step 1 succeeds'), validation checkpoints, and the Phase 1→Phase 2 boundary is well-defined with a drill-down prompt. Error handling table covers key failure modes.	3 / 3
Progressive Disclosure	The skill references two bundle files (references/cli-parsing.md and references/data-sources.md) which is good, but the massive short-title mapping table and remediation table are inlined rather than placed in reference files. The two-phase design itself is good progressive disclosure for the user, but the SKILL.md body carries too much inline reference material that could be split out.	2 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that covers all key dimensions thoroughly. It provides specific capabilities, comprehensive trigger terms, explicit 'Use when' and 'Do NOT use' clauses, and clear boundaries against related skills. The description is concise yet information-dense, making it highly effective for skill selection among many options.

Dimension	Reasoning	Score
Specificity	Lists multiple concrete actions: 'Fetch and display AI-powered SAST findings', 'aggregated counts + clusters', 'full masked listing' for drill-down. Also specifies behavioral details like default path being summary-only and full listing only on request.	3 / 3
Completeness	Clearly answers both 'what' (fetch and display AI-powered SAST findings with summary-only default and drill-down option) and 'when' (explicit 'Use when...' clause with specific trigger phrases). Also includes explicit 'Do NOT use' guidance to prevent misuse, which strengthens completeness.	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms: 'AI SAST results', 'AI SAST findings', 'AI static analysis', 'endor ai sast', 'show AI SAST', and the conceptual phrase 'pre-computed AI-driven code security findings'. These are terms users would naturally say.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with explicit negative boundaries listing three related but different skills (/endor-sast, /endor-findings, /endor-explain) and explaining when NOT to use this skill. The 'AI SAST' qualifier clearly separates it from general SAST or general findings skills.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: endorlabs/skills-ideas
Commit: b958adc

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.