Lists multiple concrete actions: display findings, filter by severity, reachability, category (vuln/sast/secrets/license). Also explicitly states what it does NOT do (running scans, explaining CVEs), which adds specificity.

Clearly answers both 'what' (display and filter security findings from Endor Labs with specific filter dimensions) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Also includes negative boundaries with 'Do NOT use for' guidance.

Excellent coverage of natural trigger phrases: 'show findings', 'list vulnerabilities', 'what did the scan find', 'endor findings', 'show me critical reachable vulns', plus domain terms like severity, reachability, and category types.

Highly distinctive with explicit negative boundaries referencing other skills (/endor-scan, /endor-explain), clear niche of browsing/filtering results, and specific product name (Endor Labs) that minimizes conflict risk.

Every section earns its place — the filter reference table is pure lookup data Claude wouldn't know, the workflow is tightly structured, and there's no explanation of basic concepts. No wasted tokens.

Provides concrete API filter strings, executable CLI commands, exact markdown output templates, and specific error-to-action mappings. The filter reference table is copy-paste ready for building queries.

Clear 3-step sequence (Query → Interpret → Present) with multiple options for Step 1, explicit priority ordering for results, and error handling table that covers common failure modes with specific recovery actions.

Main content is a concise overview with well-signaled one-level-deep references to supporting files (references/cli-parsing.md, references/reachability-tags.md, references/data-sources.md). Content is appropriately split between inline essentials and external details.