endor-secrets
Scan for exposed secrets, credentials, API keys, and sensitive data in your codebase. Use when the user says "find secrets", "scan for API keys", "exposed credentials", "endor secrets", "check for hardcoded passwords", pre-commit / staged-only secret checks, or suspects leaked tokens in code. Detects AWS keys, GitHub tokens, Stripe keys, private keys, and more. Do NOT use for code vulnerability scanning (/endor-sast) or dependency checks (/endor-sca).
90
88%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific capabilities, comprehensive trigger terms users would naturally use, explicit 'Use when' and 'Do NOT use' clauses, and clear differentiation from related skills. The inclusion of concrete detection targets (AWS keys, GitHub tokens, etc.) and negative boundaries makes this highly effective for skill selection.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions and detection targets: 'Scan for exposed secrets, credentials, API keys, and sensitive data', 'Detects AWS keys, GitHub tokens, Stripe keys, private keys'. Also specifies pre-commit/staged-only checks. | 3 / 3 |
Completeness | Clearly answers both 'what' (scan for exposed secrets, credentials, API keys in codebase, detects specific key types) and 'when' (explicit 'Use when...' clause with multiple trigger scenarios). Also includes explicit 'Do NOT use' guidance for disambiguation. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'find secrets', 'scan for API keys', 'exposed credentials', 'endor secrets', 'check for hardcoded passwords', 'leaked tokens'. Includes both natural language phrases and tool-specific terms. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche (secret/credential scanning). Explicitly differentiates itself from related skills by stating 'Do NOT use for code vulnerability scanning (/endor-sast) or dependency checks (/endor-sca)', which directly reduces conflict risk. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, highly actionable skill with clear workflow routing between pre-commit and default scan paths. Its main weakness is moderate verbosity—the inline secret types table and extensive presentation templates inflate the token cost. The safety constraints and error handling are thorough and well-organized.
Suggestions
Move the Secret Types Detected table to a reference file—Claude doesn't need 12 regex patterns in the main skill body to route and execute scans.
Reduce bold formatting density; nearly every noun is bolded, which dilutes emphasis and adds visual noise without aiding comprehension.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is fairly efficient and avoids explaining basic concepts, but the secret types table at the top is largely unnecessary—Claude already knows common secret patterns. Some sections are repetitive (e.g., the shared rules about rotation are restated in slightly different ways). The bold formatting is excessive and adds visual noise. | 2 / 3 |
Actionability | Provides concrete, executable commands (npx -y endorctl scan with specific flags), exact MCP tool parameters (scan_types, scan_options), and clear presentation templates with markdown table formats. The CLI fallback is also copy-paste ready. | 3 / 3 |
Workflow Clarity | Excellent routing logic (pre-commit vs default path) with clear numbered steps, explicit validation (hydrate findings before presenting), and error handling tables for each path. The workflow includes feedback loops (endor-setup for auth failures) and explicit constraints (never use MCP scan for pre-commit, never expose literal secrets). | 3 / 3 |
Progressive Disclosure | References external files appropriately (rules/endor-safety.md, references/data-sources.md, CLAUDE.md) and links to related skills (/endor-scan, /endor-review). However, the presentation templates are quite lengthy inline and could potentially be split out. The secret types detection table could be a reference file rather than inline content. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
344e7ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.