endor-supply-chain

Assess supply chain risk for your repository by scanning dependencies, secrets, and GitHub Actions workflows using Endor Labs. Use when the user says "supply chain risk", "supply chain assessment", "assess my supply chain", "endor supply chain", "third-party risk", "software supply chain", or wants a combined view of dependency vulnerabilities, leaked secrets, and CI/CD pipeline risks. Do NOT use for GitHub Actions workflows only (/endor-ghactions), code-level SAST scanning (/endor-sast), single package checks (/endor-check), or full reachability analysis (/endor-scan-full).

Quality

88%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a well-structured, highly actionable skill that provides clear step-by-step guidance for supply chain risk assessment. Its main strength is the concrete tool usage instructions and comprehensive error handling table. The primary weakness is the lengthy inline report template which inflates the token cost, and the referenced files cannot be verified since no bundle was provided.

Suggestions

Consider extracting the full markdown report template into a separate reference file (e.g., references/supply-chain-report-template.md) to reduce the main skill's token footprint while preserving the detailed formatting guidance.

Trim minor redundancies such as the repeated 'Show exact error messages — do not guess at causes' instruction which appears both in Step 2 and the Error Handling section.

Dimension	Reasoning	Score
Conciseness	The skill is reasonably efficient but includes some content that could be tightened — the full markdown report template is quite long and the priority order list is somewhat verbose. However, it avoids explaining basic concepts and most content is instructional rather than explanatory.	2 / 3
Actionability	Provides concrete MCP tool calls with specific parameters, a CLI fallback with an executable command, exact scan_types arrays, and detailed output templates. Each step has specific, actionable instructions including tool names, parameter names, and values.	3 / 3
Workflow Clarity	Clear 4-step sequential workflow with explicit handling of partial success, error recovery table, and validation checkpoints (e.g., checking for workflows directory before scanning, handling partial results). The error handling table provides a comprehensive feedback loop for common failure modes.	3 / 3
Progressive Disclosure	References `references/reachability-tags.md` and `references/data-sources.md` appropriately, and points to other skills for next steps. However, no bundle files are provided to verify these references exist, and the lengthy report template could potentially be extracted to a separate reference file to keep the main skill leaner.	2 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that hits all the marks. It provides specific capabilities, comprehensive trigger terms, explicit 'Use when' and 'Do NOT use' guidance, and clear differentiation from related skills. The negative boundary definitions referencing other skills by name are particularly effective for disambiguation in a multi-skill environment.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: 'scanning dependencies, secrets, and GitHub Actions workflows' and specifies the tool (Endor Labs). Also explicitly names what it produces: 'a combined view of dependency vulnerabilities, leaked secrets, and CI/CD pipeline risks.'	3 / 3
Completeness	Clearly answers both 'what' (assess supply chain risk by scanning dependencies, secrets, and workflows) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Additionally includes 'Do NOT use' guidance with references to alternative skills, which further strengthens completeness.	3 / 3
Trigger Term Quality	Excellent coverage of natural trigger terms users would say: 'supply chain risk', 'supply chain assessment', 'assess my supply chain', 'endor supply chain', 'third-party risk', 'software supply chain'. These are realistic phrases a user would naturally use.	3 / 3
Distinctiveness Conflict Risk	Exceptionally distinctive — explicitly delineates boundaries with 'Do NOT use' clauses referencing four other specific skills (/endor-ghactions, /endor-sast, /endor-check, /endor-scan-full), making it very clear when this skill should and should not be selected.	3 / 3
	Total	12 / 12 Passed

Validation

100%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 11 / 11 Passed

Validation for skill structure

No warnings or errors.

Repository: endorlabs/skills-ideas
Commit: b958adc

Reviewed: about 1 month ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.