endor-supply-chain
Assess supply chain risk for your repository by scanning dependencies, secrets, and GitHub Actions workflows using Endor Labs. Use when the user says "supply chain risk", "supply chain assessment", "assess my supply chain", "endor supply chain", "third-party risk", "software supply chain", or wants a combined view of dependency vulnerabilities, leaked secrets, and CI/CD pipeline risks. Do NOT use for GitHub Actions workflows only (/endor-ghactions), code-level SAST scanning (/endor-sast), single package checks (/endor-check), or full reachability analysis (/endor-scan-full).
72
88%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific capabilities, comprehensive trigger terms, explicit 'Use when' and 'Do NOT use' guidance, and clear differentiation from related skills. The negative boundary definitions referencing other skills by name are particularly effective for disambiguation in a multi-skill environment.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'scanning dependencies, secrets, and GitHub Actions workflows' and specifies the tool (Endor Labs). Also explicitly names what it produces: 'a combined view of dependency vulnerabilities, leaked secrets, and CI/CD pipeline risks.' | 3 / 3 |
Completeness | Clearly answers both 'what' (assess supply chain risk by scanning dependencies, secrets, and workflows) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Additionally includes 'Do NOT use' guidance with references to alternative skills, which further strengthens completeness. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'supply chain risk', 'supply chain assessment', 'assess my supply chain', 'endor supply chain', 'third-party risk', 'software supply chain'. These are realistic phrases a user would naturally use. | 3 / 3 |
Distinctiveness Conflict Risk | Exceptionally distinctive — explicitly delineates boundaries with 'Do NOT use' clauses referencing four other specific skills (/endor-ghactions, /endor-sast, /endor-check, /endor-scan-full), making it very clear when this skill should and should not be selected. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
77%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, highly actionable skill that provides clear step-by-step guidance for supply chain risk assessment. Its main strength is the concrete tool usage instructions and comprehensive error handling table. The primary weakness is the lengthy inline report template which inflates the token cost, and the referenced files cannot be verified since no bundle was provided.
Suggestions
Consider extracting the full markdown report template into a separate reference file (e.g., references/supply-chain-report-template.md) to reduce the main skill's token footprint while preserving the detailed formatting guidance.
Trim minor redundancies such as the repeated 'Show exact error messages — do not guess at causes' instruction which appears both in Step 2 and the Error Handling section.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is reasonably efficient but includes some content that could be tightened — the full markdown report template is quite long and the priority order list is somewhat verbose. However, it avoids explaining basic concepts and most content is instructional rather than explanatory. | 2 / 3 |
Actionability | Provides concrete MCP tool calls with specific parameters, a CLI fallback with an executable command, exact scan_types arrays, and detailed output templates. Each step has specific, actionable instructions including tool names, parameter names, and values. | 3 / 3 |
Workflow Clarity | Clear 4-step sequential workflow with explicit handling of partial success, error recovery table, and validation checkpoints (e.g., checking for workflows directory before scanning, handling partial results). The error handling table provides a comprehensive feedback loop for common failure modes. | 3 / 3 |
Progressive Disclosure | References `references/reachability-tags.md` and `references/data-sources.md` appropriately, and points to other skills for next steps. However, no bundle files are provided to verify these references exist, and the lengthy report template could potentially be extracted to a separate reference file to keep the main skill leaner. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
b958adc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.