endor-scan
Fast security scan of the current repository using Endor Labs. Use when the user says "scan my code", "quick scan", "endor scan", "scan this repo", "run a security scan", or wants a rapid overview of vulnerabilities, secrets, and SAST issues. Also handles incremental PR scans when user mentions "just my changes" or "PR scan". Do NOT use for deep reachability analysis (/endor-scan-full) or checking a single package (/endor-check).
73
89%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific capabilities, abundant natural trigger terms, explicit 'Use when' and 'Do NOT use' clauses, and clear differentiation from related skills. The negative boundary guidance ('Do NOT use for...') is a particularly strong feature for disambiguation in a multi-skill environment.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: security scan, rapid overview of vulnerabilities, secrets, SAST issues, and incremental PR scans. Also explicitly distinguishes from related skills (deep reachability analysis, single package checks). | 3 / 3 |
Completeness | Clearly answers both 'what' (fast security scan for vulnerabilities, secrets, SAST issues, incremental PR scans) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Also includes explicit 'Do NOT use' guidance for disambiguation. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'scan my code', 'quick scan', 'endor scan', 'scan this repo', 'run a security scan', 'just my changes', 'PR scan'. These are highly natural phrases a user would actually type. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with clear boundaries. Explicitly differentiates itself from /endor-scan-full (deep reachability analysis) and /endor-check (single package), making it very unlikely to conflict with related skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
79%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, actionable skill that efficiently guides Claude through running Endor Labs security scans. Its strengths are concrete MCP tool parameters, clear decision logic for full vs. incremental scans, and a comprehensive error handling table. Minor weaknesses include the lack of explicit validation checkpoints between scan execution and result retrieval, and unverifiable file references due to missing bundle files.
Suggestions
Add an explicit validation checkpoint after Step 2 (e.g., 'Verify scan completed successfully before retrieving findings; if partial failure, note which scan types succeeded') to strengthen the workflow with a feedback loop.
Provide the referenced bundle files (references/reachability-tags.md, references/data-sources.md) or note their absence so the progressive disclosure structure is complete and verifiable.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. It avoids explaining what security scanning is or how MCP tools work. Every section serves a purpose—language detection, scan commands, result presentation, error handling—without padding or unnecessary context. | 3 / 3 |
Actionability | Provides specific MCP tool parameters (path, scan_types, scan_options), concrete CLI fallback commands, exact flags, and a clear priority ordering for presenting results. The error handling table maps specific errors to specific actions. Fully actionable. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced (detect → scan → retrieve details → present), and the error handling table is excellent. However, there's no explicit validation checkpoint after the scan step—e.g., checking scan exit status or verifying results before proceeding to detail retrieval. The partial success handling is mentioned only in the error section rather than as an inline checkpoint. | 2 / 3 |
Progressive Disclosure | References to `references/reachability-tags.md` and `references/data-sources.md` are well-signaled and one level deep. However, no bundle files were provided, so these references cannot be verified. The next steps section nicely points to related skills. The error handling table is inline but reasonably sized; it could arguably be split out for a cleaner overview. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
b958adc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.