endor-sca

Scan all project dependencies for known vulnerabilities using Software Composition Analysis. Use when the user says "scan my dependencies", "SCA scan", "vulnerable dependencies", "endor sca", "what's wrong with my deps", or wants a focused dependency vulnerability report with direct vs transitive breakdown. Do NOT use for checking a single package (/endor-check), SAST code scanning (/endor-sast), or quick full scan (/endor-scan).

Quality

89%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

79%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured, actionable SCA scanning skill that efficiently communicates the workflow, supported ecosystems, and error handling. Its main weakness is the lack of explicit validation checkpoints between workflow steps (e.g., confirming scan success before retrieving findings). The content is appropriately concise and assumes Claude's competence without over-explaining.

Suggestions

Add an explicit validation checkpoint after Step 2 (e.g., 'Verify scan status is complete and check for partial failures before proceeding to retrieve findings').

Add a brief feedback loop for when dependency resolution fails or returns unexpected counts (e.g., 'If dependency count seems low, check for missing lock files and re-scan').

Dimension	Reasoning	Score
Conciseness	The content is lean and efficient. The ecosystem table is a useful reference that Claude wouldn't inherently know. No unnecessary explanations of what SCA is or how dependency management works. Every section earns its place.	3 / 3
Actionability	Provides specific MCP tool names, exact parameters (path, scan_types, scan_options), CLI fallback with executable command, and a concrete output format for presenting results including package@version, CVE ID, fixed version, and upgrade path. The guidance is specific and directly executable.	3 / 3
Workflow Clarity	Steps are clearly sequenced (detect → scan → retrieve details → present), but validation checkpoints are missing. There's no explicit step to verify the scan completed successfully before retrieving findings, and no feedback loop for partial scan failures or incomplete dependency resolution.	2 / 3
Progressive Disclosure	References `references/data-sources.md` and links to other commands (/endor-fix, /endor-check, etc.) which is good. However, the ecosystem table and detailed output format could potentially be split into reference files. The single reference to a bundle file that doesn't exist (no bundle files provided) is a minor concern, though the content is reasonably organized for its length.	2 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that clearly defines its scope (dependency vulnerability scanning via SCA), provides rich natural trigger terms covering multiple user phrasings, and explicitly delineates boundaries with related skills. The inclusion of 'Do NOT use' clauses is particularly effective for disambiguation in a multi-skill environment.

Dimension	Reasoning	Score
Specificity	Lists concrete actions: 'Scan all project dependencies for known vulnerabilities using Software Composition Analysis' and specifies output type 'dependency vulnerability report with direct vs transitive breakdown'. Also explicitly excludes related but different actions.	3 / 3
Completeness	Clearly answers both 'what' (scan project dependencies for known vulnerabilities using SCA, produce direct vs transitive breakdown) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Also includes explicit 'Do NOT use' guidance for disambiguation.	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms: 'scan my dependencies', 'SCA scan', 'vulnerable dependencies', 'endor sca', 'what's wrong with my deps'. These cover formal, informal, and tool-specific phrasings users would naturally use.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive with explicit negative boundaries listing three related but different skills (/endor-check, /endor-sast, /endor-scan) and their use cases. This makes it very unlikely to conflict with similar skills in the same toolset.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: endorlabs/skills-ideas
Commit: b958adc

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.