endor-check
Check if a specific dependency has known vulnerabilities or malware using Endor Labs. Use when the user names a package and wants to know if it's safe, says "check lodash", "is express vulnerable", "any CVEs in django", "endor check", "is this package safe", or provides a package name after installing a dependency. Do NOT use for scanning an entire repo (/endor-scan) or viewing existing findings (/endor-findings).
77
96%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its purpose, provides abundant natural trigger terms, explicitly states both when to use and when NOT to use the skill, and distinguishes itself from related skills. The negative boundary clauses referencing sibling skills are particularly effective for preventing misrouting in a multi-skill environment.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | The description lists a concrete action: 'Check if a specific dependency has known vulnerabilities or malware using Endor Labs.' It clearly specifies the tool (Endor Labs), the target (a specific dependency/package), and what it checks for (vulnerabilities, malware). | 3 / 3 |
Completeness | Clearly answers both 'what' (check a specific dependency for vulnerabilities/malware using Endor Labs) and 'when' (explicit 'Use when...' clause with multiple trigger scenarios). Additionally includes negative boundaries ('Do NOT use for...') which further clarifies scope. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms: 'check lodash', 'is express vulnerable', 'any CVEs in django', 'endor check', 'is this package safe', 'package name', 'dependency'. These are phrases users would naturally say when wanting to check a package's safety. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with explicit negative boundaries distinguishing it from related skills (/endor-scan for repo scanning, /endor-findings for viewing findings). The focus on single-package vulnerability checking creates a clear, non-overlapping niche. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
92%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted skill that efficiently guides Claude through checking a dependency for vulnerabilities. It excels in actionability with specific tool names, parameters, ecosystem mappings, and output templates. The content is concise, avoids explaining concepts Claude already knows, and provides clear error handling. The only minor weakness is that referenced files (install-commands.md, data-sources.md) aren't available in the bundle to verify the progressive disclosure structure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and well-structured. Every section serves a purpose—input parsing, ecosystem mapping, workflow steps, output templates, and error handling. No unnecessary explanations of what vulnerabilities are or how MCP tools work. | 3 / 3 |
Actionability | Provides specific MCP tool names (`check_dependency_for_risks`, `check_dependency_for_vulnerabilities`), exact parameter names, concrete output templates with markdown formatting, and a clear error handling table with specific actions. The ecosystem mapping table is immediately usable. | 3 / 3 |
Workflow Clarity | Clear two-step workflow with a preferred/fallback pattern for the check step. The output formatting is explicitly templated for both positive and negative results. Error handling covers key failure modes with specific recovery actions. The workflow is simple enough that validation checkpoints aren't needed—it's a read-only check operation. | 3 / 3 |
Progressive Disclosure | References `references/install-commands.md` and `references/data-sources.md` which shows good intent for progressive disclosure, but no bundle files are provided to verify these exist. The main content is well-organized with clear sections, but the inline output templates are somewhat lengthy and could potentially be referenced externally. | 2 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
b958adc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.