endor-explain

Get detailed information about a specific CVE or security finding. Use when the user says "what is CVE-2024-XXXXX", "explain this vulnerability", "tell me about GHSA-...", "endor explain", "finding details", or wants to understand severity, impact, attack vectors, and affected versions for a specific issue. Do NOT use for fixing a vuln (/endor-fix) or listing all findings (/endor-findings).

Quality

88%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured skill with clear multi-step workflows for two distinct input types (CVE and Finding UUID). The actionability is strong with specific tool names and detailed output templates. The main weakness is that the extensive output templates add bulk that could be more concisely expressed or moved to reference files, and some table fields (like CVSS vector components) explain concepts Claude already knows.

Suggestions

Consider condensing the output templates—Claude can infer table formatting from a brief description rather than needing full markdown templates with every placeholder spelled out.

Move the detailed output templates to a separate reference file (e.g., references/output-templates.md) to keep the main SKILL.md focused on workflow logic and tool usage.

Dimension	Reasoning	Score
Conciseness	The skill is reasonably efficient but includes some redundancy—the detailed markdown templates with placeholder variables are somewhat verbose, and the table structures for CVSS vector components explain things Claude already understands. However, most content serves a purpose as output formatting templates.	2 / 3
Actionability	The skill provides specific tool names (get_endor_vulnerability, check_dependency_for_risks, get_resource), concrete step sequences, exact output templates with field mappings, and clear error handling actions. Claude knows exactly what to call and how to present results.	3 / 3
Workflow Clarity	Both the CVE lookup and Finding UUID lookup workflows are clearly sequenced with numbered steps. The output templates serve as validation checkpoints ensuring all required fields are gathered. Error handling covers common failure modes with specific recovery actions.	3 / 3
Progressive Disclosure	The skill references 'references/data-sources.md' for data source policy, which is good, but the detailed markdown output templates could arguably be split into a separate reference file. The inline templates make the main skill longer than necessary, though the structure with clear section headers is reasonable.	2 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that clearly defines its scope, provides rich natural trigger terms, and explicitly delineates boundaries with related skills. The inclusion of 'Do NOT use for' clauses is particularly effective for disambiguation. The description uses proper third-person voice and is concise yet comprehensive.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: get detailed information about a CVE, explain vulnerability, understand severity, impact, attack vectors, and affected versions. Also explicitly distinguishes what it does NOT do (fixing or listing).	3 / 3
Completeness	Clearly answers both 'what' (get detailed information about a specific CVE or security finding, including severity, impact, attack vectors, affected versions) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Also includes explicit negative boundaries with 'Do NOT use for' guidance.	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms users would say: 'what is CVE-2024-XXXXX', 'explain this vulnerability', 'tell me about GHSA-...', 'endor explain', 'finding details'. These are realistic phrases users would naturally use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with clear niche (specific CVE/finding details) and explicit negative boundaries distinguishing it from related skills (/endor-fix for fixing, /endor-findings for listing). The trigger terms like 'CVE-2024-XXXXX' and 'GHSA-...' are very specific.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: endorlabs/skills-ideas
Commit: b958adc

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.