endor-sbom
Manage Software Bill of Materials — export, import, analyze, and compare SBOMs in CycloneDX and SPDX formats. Use when the user says "generate SBOM", "export SBOM", "software bill of materials", "endor sbom", "compare SBOMs", "NTIA compliance", or needs component inventory for compliance. Do NOT use for vulnerability scanning (/endor-scan) or license analysis (/endor-license).
64
75%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/endor-sbom/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific concrete actions, comprehensive trigger terms users would naturally say, explicit 'Use when' and 'Do NOT use' clauses, and clear boundaries that distinguish it from related skills. The inclusion of negative triggers (/endor-scan, /endor-license) is a best practice that further reduces conflict risk.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'export, import, analyze, and compare SBOMs' along with specific formats (CycloneDX, SPDX) and mentions component inventory for compliance. Very concrete. | 3 / 3 |
Completeness | Clearly answers both 'what' (manage SBOMs — export, import, analyze, compare in CycloneDX/SPDX formats) and 'when' (explicit 'Use when...' clause with specific trigger phrases). Also includes explicit 'Do NOT use' guidance for disambiguation, which is excellent. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms: 'generate SBOM', 'export SBOM', 'software bill of materials', 'endor sbom', 'compare SBOMs', 'NTIA compliance', and 'component inventory'. These are terms users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche (SBOM management). The explicit 'Do NOT use' clauses for vulnerability scanning and license analysis actively prevent conflicts with related skills, making this exceptionally well-scoped. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
50%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill has good structure and the Export action is well-documented with executable commands and clear steps. However, the Analyze, Compare, and Validate actions are significantly weaker — they describe desired outputs without providing concrete commands, tool invocations, or step-by-step workflows. The skill would benefit from making all actions as actionable as Export.
Suggestions
Add concrete commands or MCP tool calls for Analyze, Compare, and Validate actions — currently they only describe what to present, not how to obtain the data.
Add explicit validation/verification steps to Compare and Validate workflows (e.g., 'verify both SBOMs parse correctly before comparing', 'if validation fails, show specific errors and re-validate after fixes').
Either provide the referenced 'references/data-sources.md' bundle file or remove the reference to avoid a dead link.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Generally efficient with good use of tables and structured sections. Some areas could be tightened — the description line repeats the title, and the Analyze/Compare/Validate sections are somewhat vague rather than lean-and-precise. However, it doesn't over-explain concepts Claude already knows. | 2 / 3 |
Actionability | The Export action provides concrete executable commands with specific flags and MCP tool usage, which is good. However, Analyze, Compare, and Validate actions are described abstractly ('Present component breakdown', 'Check format validity') without concrete commands, code, or tool invocations — they describe what to do rather than how to do it. | 2 / 3 |
Workflow Clarity | The Export workflow has clear numbered steps with a validation-like check (get UUID first, suggest scan if not found). However, Analyze, Compare, and Validate lack sequenced steps with explicit validation checkpoints. Compare and Validate have no concrete workflow steps at all — just descriptions of desired output. No feedback loops for error recovery within workflows. | 2 / 3 |
Progressive Disclosure | The skill references 'references/data-sources.md' and cross-references other skills (/endor-scan, /endor-license, /endor-cicd), which is good navigation. However, no bundle files are provided to support the reference, and the content is somewhat monolithic — the Analyze/Compare/Validate sections could benefit from being either fleshed out inline or pointed to detailed reference files. | 2 / 3 |
Total | 8 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
b958adc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.