endor-supply-chain
Assess supply chain risk for your repository by scanning dependencies, secrets, and GitHub Actions workflows using Endor Labs. Use when the user says "supply chain risk", "supply chain assessment", "assess my supply chain", "endor supply chain", "third-party risk", "software supply chain", or wants a combined view of dependency vulnerabilities, leaked secrets, and CI/CD pipeline risks. Do NOT use for GitHub Actions workflows only (/endor-ghactions), code-level SAST scanning (/endor-sast), single package checks (/endor-check), or full reachability analysis (/endor-scan-full).
94
92%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific concrete actions, comprehensive natural trigger terms, explicit 'Use when' and 'Do NOT use' clauses, and clear differentiation from related skills. The negative boundary definitions are particularly effective for disambiguation in a multi-skill environment.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: scanning dependencies, secrets, and GitHub Actions workflows. Also specifies the tool (Endor Labs) and the domain (supply chain risk assessment for repositories). | 3 / 3 |
Completeness | Clearly answers both 'what' (assess supply chain risk by scanning dependencies, secrets, and workflows using Endor Labs) and 'when' (explicit 'Use when' clause with multiple trigger phrases). Additionally includes explicit 'Do NOT use' guidance to prevent misselection, which goes above and beyond. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms: 'supply chain risk', 'supply chain assessment', 'assess my supply chain', 'endor supply chain', 'third-party risk', 'software supply chain', plus descriptive phrases like 'dependency vulnerabilities', 'leaked secrets', 'CI/CD pipeline risks'. | 3 / 3 |
Distinctiveness Conflict Risk | Exceptionally distinctive — not only defines its own niche clearly but explicitly lists sibling skills it should NOT be confused with (/endor-ghactions, /endor-sast, /endor-check, /endor-scan-full), making conflict nearly impossible. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
85%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured skill that provides clear, actionable guidance for running a supply chain risk assessment. Its strengths are the concrete MCP tool parameters, comprehensive error handling table, and good progressive disclosure to related skills and reference files. The main weakness is the lengthy report template which, while useful for output formatting, contributes to verbosity that could potentially be moved to a reference file.
Suggestions
Consider moving the detailed report template to a separate reference file (e.g., references/supply-chain-report-template.md) and keeping only a brief description of the expected output sections in the main skill to reduce token usage.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is mostly efficient and avoids explaining basic concepts, but the extensive report template with all the markdown table scaffolding is quite verbose. The priority order list and next steps section add useful but somewhat lengthy content that could be tightened. | 2 / 3 |
Actionability | Provides concrete MCP tool calls with specific parameters, a CLI fallback with an executable command, exact scan_types arrays, and detailed output templates. Each step has specific, actionable instructions including tool names, parameter names, and values. | 3 / 3 |
Workflow Clarity | Clear 4-step sequential workflow with explicit handling of partial results, error recovery table, and validation checkpoints (e.g., checking for workflows directory before scanning, handling partial scan success). The error handling table provides a comprehensive feedback loop for common failure modes. | 3 / 3 |
Progressive Disclosure | References external files appropriately (references/reachability-tags.md, references/data-sources.md) and points to related skills (/endor-fix, /endor-secrets, /endor-check, etc.) for deeper dives. The main content stays focused on the supply chain assessment workflow without inlining reference material. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
344e7ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.