endor-sast

Static application security testing for code-level vulnerabilities. Use when the user says "SAST scan", "find SQL injection", "check for XSS", "static analysis", "endor sast", "code security scan", or wants to find injection flaws, hardcoded credentials, and insecure patterns in source code. Do NOT use for dependency vulnerabilities (/endor-sca), secrets scanning (/endor-secrets), or viewing pre-computed AI SAST findings (/endor-ai-sast).

Quality

82%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Risky

Do not use without reviewing

Quality

Content

64%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a solid, actionable SAST scanning skill with concrete MCP tool parameters, CLI fallback commands, and a well-structured output template. Its main weaknesses are the lack of validation/feedback loops in the workflow (e.g., verifying scan completion before retrieving findings) and some inline content that could be offloaded to reference files. The content is mostly efficient but includes some reference material (vulnerability categories, secure patterns) that could be trimmed or externalized.

Suggestions

Add explicit validation checkpoints in the workflow, e.g., 'Verify scan status is complete before proceeding to Step 2' and 'If get_resource returns no data, retry or inform user of scan failure'.

Move the vulnerability categories table and language-specific secure patterns into separate reference files to reduce the main skill's token footprint and improve progressive disclosure.

Dimension	Reasoning	Score
Conciseness	The vulnerability categories table and language-specific secure patterns are useful reference material, but the vulnerability table is somewhat redundant given Claude's existing security knowledge. The AI false positive reduction section could be tighter. Overall mostly efficient with some trimming opportunities.	2 / 3
Actionability	Provides concrete MCP tool invocations with specific parameters, executable CLI commands with exact flags, a detailed output template with placeholders, and language-specific secure coding patterns. The guidance is specific and copy-paste ready.	3 / 3
Workflow Clarity	The 4-step workflow is clearly sequenced and logical, but lacks explicit validation checkpoints or feedback loops. There's no guidance on what to do if Step 2 fails, if findings are incomplete, or how to verify the scan actually completed successfully before proceeding to analysis.	2 / 3
Progressive Disclosure	References `references/data-sources.md` for data source policy and mentions other skills like `/endor-scan-full` and `/endor-setup`, showing some progressive disclosure. However, the language-specific patterns and vulnerability categories table could be split into reference files, and no bundle files exist to support the one reference that is made.	2 / 3
	Total	9 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that hits all the marks. It provides specific capabilities, comprehensive trigger terms that users would naturally use, explicit 'Use when' and 'Do NOT use' clauses, and clear differentiation from related skills. The negative boundary definitions (what NOT to use it for) are particularly effective for disambiguation in a multi-skill environment.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions and vulnerability types: 'SQL injection', 'XSS', 'injection flaws', 'hardcoded credentials', 'insecure patterns in source code'. Clearly describes the domain (static application security testing) with concrete examples of what it finds.	3 / 3
Completeness	Clearly answers both 'what' (static application security testing for code-level vulnerabilities, finding injection flaws, hardcoded credentials, insecure patterns) and 'when' (explicit 'Use when...' clause with multiple trigger phrases). Additionally includes explicit 'Do NOT use' guidance to prevent misuse, which goes above and beyond.	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms users would say: 'SAST scan', 'find SQL injection', 'check for XSS', 'static analysis', 'endor sast', 'code security scan'. These are highly natural phrases a user would actually type when needing this skill.	3 / 3
Distinctiveness Conflict Risk	Exceptionally distinctive. Not only does it define a clear niche (SAST for code-level vulnerabilities), but it explicitly differentiates itself from related skills by listing what NOT to use it for: dependency vulnerabilities (/endor-sca), secrets scanning (/endor-secrets), and AI SAST findings (/endor-ai-sast). This anti-trigger guidance greatly reduces conflict risk.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: endorlabs/skills-ideas
Commit: b958adc

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.