endor-sbom
Manage Software Bill of Materials — export, import, analyze, and compare SBOMs in CycloneDX and SPDX formats. Use when the user says "generate SBOM", "export SBOM", "software bill of materials", "endor sbom", "compare SBOMs", "NTIA compliance", or needs component inventory for compliance. Do NOT use for vulnerability scanning (/endor-scan) or license analysis (/endor-license).
83
78%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/endor-sbom/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific concrete actions, comprehensive trigger terms users would naturally use, explicit 'Use when' and 'Do NOT use' clauses, and clear boundaries that distinguish it from related skills like vulnerability scanning and license analysis.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'export, import, analyze, and compare SBOMs' along with specific formats (CycloneDX, SPDX) and mentions component inventory for compliance. Very concrete. | 3 / 3 |
Completeness | Clearly answers both 'what' (manage SBOMs — export, import, analyze, compare in CycloneDX/SPDX formats) and 'when' (explicit 'Use when...' clause with specific trigger phrases). Also includes 'Do NOT use' guidance for disambiguation, which is excellent. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms: 'generate SBOM', 'export SBOM', 'software bill of materials', 'endor sbom', 'compare SBOMs', 'NTIA compliance'. These are terms users would naturally use when needing this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche (SBOM management). The explicit 'Do NOT use' clauses for vulnerability scanning and license analysis actively prevent conflicts with related skills, making it very unlikely to trigger incorrectly. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
57%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill has good structure and organization with a clear action table and error handling section. The Export action is the strongest with executable commands, but the Analyze, Compare, and Validate actions are too abstract — they describe desired outputs without providing concrete tool calls or commands. The skill would benefit significantly from adding executable examples for all actions, not just Export.
Suggestions
Add concrete MCP tool calls or CLI commands for the Analyze, Compare, and Validate actions (e.g., specific `endorctl` commands or `get_resource` queries with parameters)
Add a verification step after SBOM export (e.g., validate the generated file or check file size/component count)
For the Compare action, specify how to obtain or reference the two SBOMs being compared — provide a concrete command example with two file paths or project UUIDs
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Mostly efficient with good use of tables and structured sections. Some sections like 'Analyze' and 'Compare' are somewhat vague descriptions rather than lean instructions, and the summary presentation requirements in Export step 3 are verbose lists that could be tightened. | 2 / 3 |
Actionability | The Export action has concrete executable commands, but Analyze, Compare, and Validate actions lack specific commands or code — they describe what to present rather than how to execute. Compare and Validate have no concrete tool calls or commands at all. | 2 / 3 |
Workflow Clarity | Export has a clear numbered sequence with a validation-like first step (check project exists). However, Analyze, Compare, and Validate lack clear step sequences and have no explicit validation checkpoints or error recovery loops. The Export workflow also lacks a verification step after generation. | 2 / 3 |
Progressive Disclosure | Content is well-organized with clear sections per action, a concise overview table, and appropriate references to other skills and a data-sources.md file. The skill stays at overview level and points elsewhere for related concerns. | 3 / 3 |
Total | 9 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
344e7ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.