# Endor Labs Agent Kit Claude Code Plugin Version: `2.1.0` This generated Claude Code plugin package includes Endor Labs setup support and Claude Code agents generated from source recipes in the Endor Labs Agent Kit repository. ## Start Here | Reader | First move | | --- | --- | | Human installer | Install `endor-labs-agent-kit@endorlabs` from the public marketplace or a local checkout. Then run setup: ask Claude Code to use the `endor-agent-kit-setup` skill. | | Agent installer | Preserve generated package files exactly. Do not broaden permissions, change the logo, add plugin-wide MCP, or rewrite generated agents and skills. | | Maintainer | Change source recipes or publication code in `endor-labs-agent-kit`, regenerate with `--include-plugins`, then sync generated artifacts to `ai-plugins`. | Content releases require a package version bump. If a host still shows old prompt content after reinstalling the same version, remove or reinstall the plugin, clear the host cache when supported, and start a fresh host session. This package is host-specific for Claude Code. Use the root README when choosing between hosts. ## Install And Upgrade Notice - `endor-labs-agent-kit@endorlabs` is the preferred Claude Code plugin id for new installs. - Existing `ai-plugins@endorlabs` users can keep using the legacy compatibility package. - Do not enable both Claude plugin ids in the same profile because they expose the same agents and setup skill. - The plugin does not auto-disable, uninstall, or edit Claude settings for either id. ## Host Metadata - Manifest: `.claude-plugin/plugin.json`. - Agents: `agents/.md`, auto-discovered from the plugin root with Claude Code plugin-supported frontmatter only. - Skills: `skills/endor-agent-kit-setup/SKILL.md`, auto-discovered from the plugin root. - Hooks: `hooks/hooks.json` plus fail-open advisory scripts for routing, dependency installs, and manifest edits. - Model/runtime: packaged agents preserve supported generated agent frontmatter; the plugin does not set a plugin-wide default model. - MCP: no plugin-wide MCP server is declared by default. ## Install From The Public Repository ```text /plugin marketplace add endorlabs/ai-plugins --sparse .claude-plugin plugins/claude /plugin install endor-labs-agent-kit@endorlabs ``` ## Install From A Local Checkout From the Agent Kit repository root: ```text /plugin marketplace add ./ /plugin install endor-labs-agent-kit@endorlabs ``` Start a new Claude Code session or run `/reload-plugins` after installing or reinstalling the plugin. If Claude Code still shows stale same-version content, uninstall and reinstall the plugin id, run `/reload-plugins`, and start a new Claude Code session so host caches reload the generated agents and setup skill. ## Set Up This Machine Ask Claude Code: ```text Use the endor-agent-kit-setup skill to check Endor Agent Kit readiness. ``` The setup skill can guide package-manager-first `endorctl` installation, verify Endor auth and namespace readiness, and report missing `gh` or toolchain prerequisites. It does not run scans, run `endorctl host-check`, edit shell profiles, auto-install `gh`, or install language runtimes and package managers. ## Capabilities And Skills | Job | Claude Code agent | Safety | | --- | --- | --- | | Triage AI SAST findings | `ai-sast-triage` | mutating, approval-gated | | Assess CI/CD and supply chain posture | `cicd-posture` | read-only | | Decide whether a dependency is safe to use | `dependency-decision-helper` | read-only | | Diagnose Endor setup and scan issues | `endor-troubleshooter` | read-only | | Browse existing Endor findings | `findings-browser` | read-only | | Malware Response | `malware-response` | read-only | | Summarize package-version risk | `package-risk-summary` | read-only | | Assess GitHub onboarding gaps | `probe-droid` | read-only | | Plan remediation across findings | `remediation-planner` | read-only | | Review repository dependency manifests | `repository-dependency-reviewer` | read-only | | Find safe SCA remediation paths | `sca-remediation` | mutating, approval-gated | | Analyze upgrade impact | `upgrade-impact-analysis` | read-only | | Explain vulnerability risk and remediation | `vulnerability-explainer` | read-only | Mutating workflows keep file edits, branch pushes, PR/MR creation, comments, approval verification, and Endor policy writes behind separate approval gates. Setup never performs those workflow actions. ## Boundaries And Rules - Always run readiness and namespace checks before live Endor lookups. - Always keep setup, file edits, branch pushes, PR/MR creation, comments, tickets, and policy writes as separate evidence-backed steps. - Never run setup scans or `endorctl host-check`. - Never auto-install `gh`, language runtimes, or package managers. - Never print, persist, or copy Endor API key, secret, token, or full config values. ## Provider Notes Claude Code plugin-shipped agents do not support `mcpServers`, `permissionMode`, or `hooks` in agent frontmatter. This package removes agent-local MCP frontmatter from generated Claude Code artifacts and keeps MCP setup as explicit user-guided configuration. The primary package uses plugin-level advisory hooks only; they add context and never block or run Endor commands. Before release, verify the current Claude Code plugin and marketplace docs: - https://code.claude.com/docs/en/plugins - https://code.claude.com/docs/en/plugin-marketplaces - https://code.claude.com/docs/en/plugins-reference