endor-sca
Scan all project dependencies for known vulnerabilities using Software Composition Analysis. Use when the user says "scan my dependencies", "SCA scan", "vulnerable dependencies", "endor sca", "what's wrong with my deps", or wants a focused dependency vulnerability report with direct vs transitive breakdown. Do NOT use for checking a single package (/endor-check), SAST code scanning (/endor-sast), or quick full scan (/endor-scan).
95
93%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly defines its scope (dependency vulnerability scanning via SCA), provides rich natural trigger terms covering multiple user phrasings, and explicitly delineates boundaries with related skills. The inclusion of 'Do NOT use' clauses is particularly effective for disambiguation in a multi-skill environment.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists concrete actions: 'Scan all project dependencies for known vulnerabilities using Software Composition Analysis' and specifies output type 'dependency vulnerability report with direct vs transitive breakdown'. Also explicitly excludes related but different actions. | 3 / 3 |
Completeness | Clearly answers both 'what' (scan project dependencies for known vulnerabilities using SCA, produce report with direct vs transitive breakdown) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Also includes explicit 'Do NOT use' guidance for disambiguation. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms: 'scan my dependencies', 'SCA scan', 'vulnerable dependencies', 'endor sca', 'what's wrong with my deps'. These cover formal, informal, and tool-specific phrasings users would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with explicit negative boundaries listing three related but different skills (/endor-check, /endor-sast, /endor-scan) and their use cases. This makes it very unlikely to conflict with similar skills in the same toolset. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted skill that efficiently communicates a multi-step SCA scanning workflow with concrete tool parameters, clear output formatting requirements, and good error handling coverage. The ecosystem reference table adds genuine value. The main weakness is the lack of explicit validation checkpoints between workflow steps, particularly around confirming successful dependency resolution before proceeding.
Suggestions
Add a validation checkpoint after Step 2 to verify the dependency tree resolved successfully (e.g., check dependency count > 0) before proceeding to finding retrieval.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. The ecosystem table is a useful reference that Claude wouldn't inherently know. No unnecessary explanations of what SCA is or how dependency management works. Every section earns its place. | 3 / 3 |
Actionability | Provides specific MCP tool names, exact parameter structures, CLI fallback with concrete command, and detailed output format requirements including specific fields per finding. The guidance is concrete and directly executable. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (detect → scan → retrieve → present), but there are no explicit validation checkpoints or feedback loops between steps. For instance, there's no verification that the dependency tree resolved correctly before proceeding to vulnerability matching, and no retry logic for partial scan failures. | 2 / 3 |
Progressive Disclosure | Content is well-structured with clear sections. References to other commands (/endor-fix, /endor-check, etc.) and external files (references/data-sources.md) are one level deep and clearly signaled. The ecosystem table, workflow, and error handling are appropriately organized inline given the skill's scope. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
344e7ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.