endor-secrets
Scan for exposed secrets, credentials, API keys, and sensitive data in your codebase. Use when the user says "find secrets", "scan for API keys", "exposed credentials", "endor secrets", "check for hardcoded passwords", pre-commit / staged-only secret checks, or suspects leaked tokens in code. Detects AWS keys, GitHub tokens, Stripe keys, private keys, and more. Do NOT use for code vulnerability scanning (/endor-sast) or dependency checks (/endor-sca).
72
88%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that covers all dimensions thoroughly. It provides specific capabilities, rich natural trigger terms, explicit 'Use when' and 'Do NOT use' clauses, and clear boundaries distinguishing it from related security scanning skills. The description is concise yet comprehensive, serving as a strong example of best practices.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and detection targets: 'Scan for exposed secrets, credentials, API keys, and sensitive data', 'Detects AWS keys, GitHub tokens, Stripe keys, private keys'. Also specifies pre-commit/staged-only checks. | 3 / 3 |
Completeness | Clearly answers both 'what' (scan for exposed secrets, credentials, API keys in codebase, detects specific key types) and 'when' (explicit 'Use when...' clause with multiple trigger phrases). Also includes explicit 'Do NOT use' guidance for disambiguation. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'find secrets', 'scan for API keys', 'exposed credentials', 'check for hardcoded passwords', 'leaked tokens', 'endor secrets', plus specific key types like AWS keys, GitHub tokens, Stripe keys. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche (secret/credential scanning) and explicit negative boundaries ('Do NOT use for code vulnerability scanning (/endor-sast) or dependency checks (/endor-sca)'), which directly prevents conflicts with related security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, highly actionable skill with clear workflow routing between pre-commit and default scan paths, executable commands, and explicit error handling. Its main weakness is moderate verbosity—the secret types reference table and duplicated rotation guidance across sections add tokens without proportional value. The presentation templates are thorough but lengthy for inline inclusion.
Suggestions
Consider moving the 'Secret Types Detected' table to a separate reference file since Claude doesn't need it to execute the scan workflow—it's informational context that inflates the token cost.
Consolidate the rotation guidance which appears in both 'Immediate Actions' and 'Recommendations' into a single concise block to reduce redundancy.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient and domain-specific, but includes some redundancy—the 'Secret Types Detected' table is informational padding Claude doesn't need to act on, and the shared rules/recommendations sections repeat rotation guidance multiple times with slightly different phrasing. Some tightening is possible. | 2 / 3 |
Actionability | Provides fully executable commands (npx -y endorctl scan with specific flags), concrete MCP tool parameters (scan_types, scan_options), specific resource_type values for hydration, and copy-paste-ready markdown templates for output presentation. The routing logic is explicit and the CLI fallback is clearly specified. | 3 / 3 |
Workflow Clarity | Two clearly separated workflows (pre-commit vs default) with explicit routing criteria, numbered sequential steps, validation/hydration steps, and a comprehensive error handling table covering both paths. The 'do not' guardrails (e.g., don't use MCP scan for pre-commit, don't use --output-type with --pre-commit-checks) serve as validation checkpoints preventing common mistakes. | 3 / 3 |
Progressive Disclosure | References external files (rules/endor-safety.md, references/data-sources.md, CLAUDE.md, /endor-setup) which is good, but the skill itself is quite long (~150+ lines) with the full presentation templates inlined. The two presentation templates and the secret types table could potentially be split into referenced files. However, no bundle files are provided, so we can't verify the references resolve. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
b958adc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.