Skills
skills/endorlabs/skills-ideas/endor-api/Gen Agent Trust Hub

endor-api

Pass

Audited by Gen Agent Trust Hub on Mar 21, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Automatically downloads the endorctl utility from the NPM registry using npx to perform API operations. This is a verified vendor resource.
  • [COMMAND_EXECUTION]: Utilizes shell commands to execute the endorctl tool for listing, retrieving, and creating resources within the Endor Labs platform.
  • [DATA_EXFILTRATION]: Facilitates data exchange with api.endorlabs.com. This communication is required for the skill's primary function and targets the official vendor endpoint.
  • [PROMPT_INJECTION]: The skill represents an indirect prompt injection surface because it processes external data from API responses (e.g., project names, finding descriptions).
  • Ingestion points: API responses from api.endorlabs.com (referenced in SKILL.md).
  • Boundary markers: None identified in the instructional flow.
  • Capability inventory: Includes execution of CLI commands via npx and multiple MCP tools such as scan and security_review.
  • Sanitization: No explicit sanitization or filtering of API output before it is presented to the agent or user is documented.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 21, 2026, 04:26 AM
Security Audit — agent-trust-hub — endor-api