Back to Plugins

Ai Plugins

Set up endorctl and use Endor Labs to scan, prioritize, and fix security risks across your software supply chain

securityai
By anthropics
6Updated 6 days agoShellMIT

Installation

/plugin install ai-plugins@claude-plugins-official

How to install

  1. Open Claude Code in your terminal
  2. Run the installation command above
  3. The plugin will be enabled automatically
  4. Use the plugin's features in your Claude Code sessions

🧩 Endor Labs AI Plugins

Public distribution repository for Endor Labs Agent Kit packages across Claude Code, Codex, Gemini CLI, Antigravity CLI, Cursor IDE, Cursor SDK, and root MCP support context.

[!IMPORTANT] This repo is the distribution mirror. Agent behavior, generated package shape, guardrails, tests, and source documentation are owned by πŸ™ The Endor Labs Agent Kit.

Current generated Agent Kit package version: 2.1.0. Agent Kit maintainer merges open or update generated distribution PRs in this repo, but they do not automatically bump package versions. Version bumps are intentional release actions from the source repo.

🚦 Start Here

I want to...Go here
πŸš€ Install a host packageQuick Start
🧾 See what changedCHANGELOG.md
πŸ–±οΈ Use Cursor IDE agentsCursor IDE
🐍 Run Cursor SDK automationcursor-sdk/README.md
πŸ€– Ask an agent to review this mirrordocs/for-agents.md
πŸ“¦ Sync from Agent Kit sourcedocs/distribution-sync.md
βœ… Prepare a releasedocs/plugin-release-checklist.md

A machine-readable index is available in llms.txt.

🧭 Browse The Distribution

AreaWhat is inside
πŸ§‘β€πŸ’» Claude Code.claude-plugin/marketplace.json, plugins/claude/endor-labs-agent-kit/, legacy plugins/claude/ai-plugins/
🧠 Codex.agents/plugins/marketplace.json, plugins/codex/endor-labs-agent-kit/
πŸ’Ž Gemini CLIplugins/gemini/endor-labs-agent-kit/
πŸ›« Antigravity CLIplugins/antigravity/endor-labs-agent-kit/
πŸ–±οΈ Cursor IDE.cursor-plugin/, root agents/, root skills/, root advisory hooks/, assets/logo.png
🐍 Cursor SDKcursor-sdk/ Python launcher, generated prompts, and agent definitions
πŸ” Root support.mcp.json, GEMINI.md
🧾 Release docsdocs/, llms.txt, plugins/README.md

πŸš€ Quick Start

Pick your host, install the package, then run setup. Setup checks local readiness and does not run scans.

Use the endor-agent-kit-setup skill to check Endor Agent Kit readiness. Do not run scans.

Claude Code

Install the preferred package id:

/plugin marketplace add endorlabs/ai-plugins
/plugin install endor-labs-agent-kit@endorlabs
/reload-plugins
/agents

Existing Claude Code users pinned to the historical id can keep using:

/plugin marketplace add endorlabs/ai-plugins
/plugin install ai-plugins@endorlabs
/reload-plugins
/agents

Do not enable endor-labs-agent-kit@endorlabs and ai-plugins@endorlabs in the same Claude profile for normal use. They expose the same setup skill and agents.

Details: plugins/claude/endor-labs-agent-kit/README.md.

Codex

Add the Endor Labs marketplace, restart Codex, then install Endor Labs Agent Kit from the Codex plugin directory:

codex plugin marketplace add endorlabs/ai-plugins \
  --sparse .agents/plugins \
  --sparse plugins/codex/endor-labs-agent-kit

After installation, start a new Codex thread and ask setup to install or update the bundled Endor custom agents:

Use the endor-agent-kit-setup skill to check readiness and install the bundled Codex custom agents.

Details: plugins/codex/endor-labs-agent-kit/README.md.

Cursor IDE

Install the current public Cursor Marketplace package from Cursor Agent chat:

/add-plugin endorlabs

Marketplace page: cursor.com/marketplace/endorlabs.

Open the target project folder, reload Cursor if prompted, then run setup:

Use the endor-agent-kit-setup skill to set up endorctl.

Cursor SDK

Use the SDK lane for Python automation, CI, orchestration, backend services, or Cursor cloud agents:

python3 -m pip install -r cursor-sdk/requirements.txt
export CURSOR_API_KEY="crsr_..."
python cursor-sdk/run_cursor_agent.py endor-probe-droid-agent \
  --workspace /path/to/repo \
  "Explain what evidence you need to assess GitHub onboarding gaps. Keep it read-only."

Cloud run shape:

python cursor-sdk/run_cursor_agent.py endor-sca-remediation-agent \
  --mode cloud \
  --repo-url https://github.com/your-org/your-repo \
  --ref main \
  "Prepare a remediation plan only. Do not edit files or open a PR."

Gemini CLI

Install the generated Gemini extension package from the public repository:

git clone https://github.com/endorlabs/ai-plugins
gemini extensions install ./ai-plugins/plugins/gemini/endor-labs-agent-kit
gemini extensions list

For local validation from a checkout, install the generated extension directory:

gemini extensions install ./plugins/gemini/endor-labs-agent-kit

Restart Gemini CLI after installing or reinstalling the extension.

Google documents Antigravity CLI as the consumer transition path for Gemini CLI. Use the Gemini package for supported Gemini CLI environments and compatibility checks; use the Antigravity package below for affected Gemini CLI consumer accounts.

Details: plugins/gemini/endor-labs-agent-kit/README.md.

Antigravity CLI

Clone the distribution repo, then install the generated plugin directory:

git clone https://github.com/endorlabs/ai-plugins
cd ai-plugins
agy plugin validate ./plugins/antigravity/endor-labs-agent-kit
agy plugin install ./plugins/antigravity/endor-labs-agent-kit
agy plugin list

Some Antigravity installs expose the command as antigravity instead of agy; use the same plugin validate, plugin install, and plugin list subcommands. Restart Antigravity CLI if newly installed skills or subagents are not visible.

Details: plugins/antigravity/endor-labs-agent-kit/README.md.

⚑ Agent Quick Starts

AgentBest forCursor / SDK nameSafetyFirst prompt
πŸ”Ž AI SAST TriageTriage Endor AI SAST findings and prepare approved change requestsendor-ai-sast-triage-agentapproval-gated mutatingTriage AI SAST findings for this repository. Do not edit files, open a PR/MR, create a ticket, or write an Endor policy until I approve the specific gate.
🧭 CI/CD And Supply Chain PostureAssess CI/CD and supply chain posture from existing Endor findings and read-only GitHub configuration evidenceendor-cicd-posture-agentread-onlyAssess CI/CD and supply chain posture for namespace <namespace>. Keep it read-only and validate the deterministic score.
βš–οΈ Dependency Decision HelperDecide whether to add, upgrade to, or keep a specific package versionendor-dependency-decision-helper-agentread-onlyAssess whether we should use npm lodash version 4.17.20. Keep it read-only.
πŸ“Š Package Risk SummarySummarize the risk profile of a specific package versionendor-package-risk-summary-agentread-onlySummarize npm lodash version 4.17.20 with verified Endor evidence. Keep it read-only.
πŸ“š Repository Dependency ReviewerReview local dependency manifests with read-only file inspection and Endor evidenceendor-repository-dependency-reviewer-agentread-onlyReview this repository's dependency manifests with read-only evidence only.
⬆️ Upgrade Impact AnalysisAnalyze Endor platform upgrade impact with VersionUpgrade, CIA, findings, and manifest contextendor-upgrade-impact-analysis-agentread-onlyShow the safest upgrade path for repository <owner>/<repo> package lodash. Keep it read-only.
πŸ’¬ Vulnerability ExplainerUnderstand a specific CVE, GHSA, or Endor vulnerability and what to do nextendor-vulnerability-explainer-agentread-onlyExplain CVE-2021-44228 using verified Endor evidence. Keep it read-only.
🧯 Endor TroubleshooterDiagnose setup, scan, auth, policy, or integration issuesendor-troubleshooter-agentread-onlyDiagnose this Endor issue from redacted error text and read-only tenant evidence. Keep it read-only.
πŸ” Findings BrowserBrowse, filter, and summarize existing Endor findingsendor-findings-browser-agentread-onlyShow the critical and high reachable findings for namespace <namespace>. Keep it read-only.
πŸ€– Malware ResponseCorrelate supply-chain malware intelligence against tenant inventoryendor-malware-response-agentread-onlyUse the malware-response workflow. Keep it within its generated safety contract.
πŸ“‘ Probe DroidAssess GitHub onboarding and monitored-branch coverage gapsendor-probe-droid-agentread-onlyExplain what evidence you need to assess GitHub onboarding gaps for this repository. Keep it read-only.
πŸ—ΊοΈ Remediation PlannerPreview safe dependency remediation options without opening PRsendor-remediation-planner-agentread-onlyPreview remediation options for this repository. Do not edit files or open a PR/MR.
πŸ› οΈ SCA RemediationFind safe dependency remediation paths with Endor SCA evidenceendor-sca-remediation-agentapproval-gated mutatingInspect this repository and prepare a remediation plan only. Do not edit files, create branches, push, open a PR/MR, create a ticket, or write Endor policy.
🧰 SetupCheck host, auth, namespace, endorctl, gh, and workflow readinessendor-agent-kit-setup-agentread-onlyCheck Endor Agent Kit readiness for this repository. Do not run scans.

The provider packages expose the same generated workflow set from Agent Kit source recipes. Use the host package README for exact install and invocation syntax.

πŸ“¦ Distribution Paths

HostDistribution pathNotes
Claude Code.claude-plugin/marketplace.json, plugins/claude/endor-labs-agent-kit/, plugins/claude/ai-plugins/Preferred package plus legacy compatibility.
Codex.agents/plugins/marketplace.json, plugins/codex/endor-labs-agent-kit/Skills, custom-agent TOML files, and installer script.
Gemini CLIplugins/gemini/endor-labs-agent-kit/Directory install locally; tagged GitHub repo for public installs.
Antigravity CLIplugins/antigravity/endor-labs-agent-kit/Package directory with root plugin.json.
Cursor IDE.cursor-plugin/, agents/, skills/, hooks/, assets/logo.pngSource-generated Cursor plugin agents, support skills, and advisory hooks.
Cursor SDKcursor-sdk/Python SDK launcher, generated prompts, and local/cloud run instructions.
Root support.mcp.json, GEMINI.mdOptional MCP support context; the repository root is not a Gemini extension root.

πŸ”’ Safety Rules

  • Setup is readiness guidance; it must not run scans or mutate repositories.
  • Setup must not run endorctl host-check.
  • Install, update, auth, namespace, and host-specific package steps must be explicit and evidence-backed.
  • Do not print, persist, or copy secret values. Report credential presence only by variable or key name.
  • Live Endor API evidence requires explicit approval and namespace provenance.
  • Mutating workflows split file edits, branch pushes, PR/MR creation, comments, tickets, approval verification, and Endor policy writes into separate gates.

πŸ” Source Sync

Do not change generated Agent Kit behavior by editing package files in this repo. Make behavior changes in the Agent Kit source repo, regenerate there, then let the Agent Kit publish workflow open a generated PR here.

Generated sync PRs should include:

  • source Agent Kit commit in the PR body
  • provenance/agent-kit-catalog.intoto.json
  • provenance/manifest.sha256
  • validation evidence for root skills, advisory hoo

…

View source on GitHub