endor-sast
Static application security testing for code-level vulnerabilities. Use when the user says "SAST scan", "find SQL injection", "check for XSS", "static analysis", "endor sast", "code security scan", or wants to find injection flaws, hardcoded credentials, and insecure patterns in source code. Do NOT use for dependency vulnerabilities (/endor-sca), secrets scanning (/endor-secrets), or viewing pre-computed AI SAST findings (/endor-ai-sast).
68
82%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific capabilities, comprehensive trigger terms that users would naturally use, explicit 'Use when' and 'Do NOT use' clauses, and clear differentiation from related skills. The negative boundary definitions (what NOT to use it for) are particularly effective for disambiguation in a multi-skill environment.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and vulnerability types: 'SQL injection', 'XSS', 'injection flaws', 'hardcoded credentials', 'insecure patterns in source code'. Clearly describes the domain (static application security testing) with concrete examples of what it finds. | 3 / 3 |
Completeness | Clearly answers both 'what' (static application security testing for code-level vulnerabilities, finding injection flaws, hardcoded credentials, insecure patterns) and 'when' (explicit 'Use when...' clause with multiple trigger phrases). Additionally includes explicit 'Do NOT use' guidance to prevent misuse, which goes above and beyond. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'SAST scan', 'find SQL injection', 'check for XSS', 'static analysis', 'endor sast', 'code security scan'. These are highly natural phrases a user would actually type when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Exceptionally distinctive. Not only does it define a clear niche (SAST for code-level vulnerabilities), but it explicitly differentiates itself from related skills by listing what NOT to use it for: dependency vulnerabilities (/endor-sca), secrets scanning (/endor-secrets), and AI SAST findings (/endor-ai-sast). This anti-trigger guidance greatly reduces conflict risk. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
64%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a solid, actionable SAST scanning skill with concrete MCP tool parameters, CLI fallback commands, and a well-structured output template. Its main weaknesses are the lack of validation/feedback loops in the workflow (e.g., verifying scan completion before retrieving findings) and some inline content that could be offloaded to reference files. The content is mostly efficient but includes some reference material (vulnerability categories, secure patterns) that could be trimmed or externalized.
Suggestions
Add explicit validation checkpoints in the workflow, e.g., 'Verify scan status is complete before proceeding to Step 2' and 'If get_resource returns no data, retry or inform user of scan failure'.
Move the vulnerability categories table and language-specific secure patterns into separate reference files to reduce the main skill's token footprint and improve progressive disclosure.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The vulnerability categories table and language-specific secure patterns are useful reference material, but the vulnerability table is somewhat redundant given Claude's existing security knowledge. The AI false positive reduction section could be tighter. Overall mostly efficient with some trimming opportunities. | 2 / 3 |
Actionability | Provides concrete MCP tool invocations with specific parameters, executable CLI commands with exact flags, a detailed output template with placeholders, and language-specific secure coding patterns. The guidance is specific and copy-paste ready. | 3 / 3 |
Workflow Clarity | The 4-step workflow is clearly sequenced and logical, but lacks explicit validation checkpoints or feedback loops. There's no guidance on what to do if Step 2 fails, if findings are incomplete, or how to verify the scan actually completed successfully before proceeding to analysis. | 2 / 3 |
Progressive Disclosure | References `references/data-sources.md` for data source policy and mentions other skills like `/endor-scan-full` and `/endor-setup`, showing some progressive disclosure. However, the language-specific patterns and vulnerability categories table could be split into reference files, and no bundle files exist to support the one reference that is made. | 2 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
b958adc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.