endor-sca
Scan all project dependencies for known vulnerabilities using Software Composition Analysis. Use when the user says "scan my dependencies", "SCA scan", "vulnerable dependencies", "endor sca", "what's wrong with my deps", or wants a focused dependency vulnerability report with direct vs transitive breakdown. Do NOT use for checking a single package (/endor-check), SAST code scanning (/endor-sast), or quick full scan (/endor-scan).
73
89%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope (dependency vulnerability scanning via SCA), provides rich natural trigger terms covering multiple user phrasings, and explicitly delineates boundaries with related skills. The inclusion of 'Do NOT use' clauses is particularly effective for disambiguation in a multi-skill environment.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists concrete actions: 'Scan all project dependencies for known vulnerabilities using Software Composition Analysis' and specifies output type 'dependency vulnerability report with direct vs transitive breakdown'. Also explicitly excludes related but different actions. | 3 / 3 |
Completeness | Clearly answers both 'what' (scan project dependencies for known vulnerabilities using SCA, produce direct vs transitive breakdown) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Also includes explicit 'Do NOT use' guidance for disambiguation. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms: 'scan my dependencies', 'SCA scan', 'vulnerable dependencies', 'endor sca', 'what's wrong with my deps'. These cover formal, informal, and tool-specific phrasings users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with explicit negative boundaries listing three related but different skills (/endor-check, /endor-sast, /endor-scan) and their use cases. This makes it very unlikely to conflict with similar skills in the same toolset. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
79%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, actionable SCA scanning skill that efficiently communicates the workflow, supported ecosystems, and error handling. Its main weakness is the lack of explicit validation checkpoints between workflow steps (e.g., confirming scan success before retrieving findings). The content is appropriately concise and assumes Claude's competence without over-explaining.
Suggestions
Add an explicit validation checkpoint after Step 2 (e.g., 'Verify scan status is complete and check for partial failures before proceeding to retrieve findings').
Add a brief feedback loop for when dependency resolution fails or returns unexpected counts (e.g., 'If dependency count seems low, check for missing lock files and re-scan').
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. The ecosystem table is a useful reference that Claude wouldn't inherently know. No unnecessary explanations of what SCA is or how dependency management works. Every section earns its place. | 3 / 3 |
Actionability | Provides specific MCP tool names, exact parameters (path, scan_types, scan_options), CLI fallback with executable command, and a concrete output format for presenting results including package@version, CVE ID, fixed version, and upgrade path. The guidance is specific and directly executable. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (detect → scan → retrieve details → present), but validation checkpoints are missing. There's no explicit step to verify the scan completed successfully before retrieving findings, and no feedback loop for partial scan failures or incomplete dependency resolution. | 2 / 3 |
Progressive Disclosure | References `references/data-sources.md` and links to other commands (/endor-fix, /endor-check, etc.) which is good. However, the ecosystem table and detailed output format could potentially be split into reference files. The single reference to a bundle file that doesn't exist (no bundle files provided) is a minor concern, though the content is reasonably organized for its length. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
b958adc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.