endor-setup

The skill exhibits coherent alignment with its stated aim of automating endorctl setup and scanning in non-interactive environments. However, the footprint introduces substantial security concerns: unverifiable binary installation from a remote API, potential credential exposure via env vars/config, and complex multi-tenant authentication flows that can leak prompts or tokens in non-interactive contexts. Overall, the risk is elevated due to supply-chain and credential exposure patterns, leading to a Suspicious classification with high precaution. Recommendation: constrain to verifiable package sources, implement robust checksum/signature verification, minimize credential exposure, and formally separate non-interactive automation from browser-based authentication flows; add explicit audit logs and secure handling for credentials.