Use this guide when you want to install and run Endor Labs Agent Kit workflows.
If you are changing agent behavior or publishing the public distribution mirror,
use docs/maintainer-guide.md or docs/distribution-sync.md instead.
| Host | Start Here | Good Fit |
|---|---|---|
| Claude Code | plugins/claude/endor-labs-agent-kit/README.md |
Plugin install with Claude Code agents and setup skill. |
| Codex | plugins/codex/endor-labs-agent-kit/README.md |
Plugin install with Codex skills plus optional managed custom-agent TOML files. |
| Gemini CLI | plugins/gemini/endor-labs-agent-kit/README.md |
Gemini extension install with skills and preview subagents. |
| Antigravity CLI | plugins/antigravity/endor-labs-agent-kit/README.md |
Antigravity plugin install with skills and subagents. |
| Cursor | .cursor-plugin/, root agents/, root skills/, root hooks/, and assets/logo.png |
Cursor plugin metadata with generated workflow agents, support skills, and advisory hooks. |
| Cursor SDK | cursor-sdk/README.md |
Python SDK automation for local workspaces, CI, orchestration, backend services, or Cursor cloud agents. |
| Manual single-agent install | <host>/<agent>/README.md |
One workflow in one host without the full plugin package. |
| Runtime-neutral integration | portable/<agent>/README.md |
Internal runtime with its own adapters, approvals, audit, and credentials. |
The public distribution repo is endorlabs/ai-plugins. This source repo owns
recipes, generation, tests, and guardrails.
Google documents Antigravity CLI as the consumer transition path for Gemini CLI. Use the Gemini package for supported Gemini CLI environments and compatibility checks; use the Antigravity package for affected Gemini CLI consumer accounts.
Claude Code public install for new users:
/plugin marketplace add endorlabs/ai-plugins --sparse .claude-plugin plugins/claude
/plugin install endor-labs-agent-kit@endorlabs
/reload-plugins
/agents
Existing Claude Code users pinned to the historical id can keep using:
/plugin marketplace add endorlabs/ai-plugins --sparse .claude-plugin plugins/claude
/plugin install ai-plugins@endorlabs
Do not enable endor-labs-agent-kit@endorlabs and ai-plugins@endorlabs in
the same Claude profile for normal use. They expose the same setup skill and
agents.
For Codex, Gemini CLI, Antigravity CLI, and Cursor, use the host package README
or package metadata because their public install commands depend on the pushed
tag and host-specific marketplace behavior. Cursor IDE uses .cursor-plugin/,
root agents/, root skills/, root advisory hooks/, and assets/logo.png;
Cursor SDK automation uses cursor-sdk/; Gemini uses
plugins/gemini/endor-labs-agent-kit/.
Use the SDK lane when the workflow should be launched from Python code instead of installed into the Cursor IDE.
python3 -m pip install -r cursor-sdk/requirements.txt
export CURSOR_API_KEY="crsr_..."
python cursor-sdk/run_cursor_agent.py endor-probe-droid-agent \
--workspace /path/to/repo \
"Explain what evidence you need to assess GitHub onboarding gaps. Keep it read-only."For Cursor cloud agents:
python cursor-sdk/run_cursor_agent.py endor-sca-remediation-agent \
--mode cloud \
--repo-url https://github.com/your-org/your-repo \
--ref main \
"Prepare a remediation plan only. Do not edit files or open a PR."After installing a plugin, ask the host to run the setup skill:
Use the endor-agent-kit-setup skill to check Endor Agent Kit readiness.
Setup is readiness guidance. It can report missing endorctl, gh, namespace,
auth, MCP, or toolchain prerequisites. It must not run scans, run
endorctl host-check, edit shell profiles, install language runtimes, install
package managers, or write credentials.
| Job | Workflow |
|---|---|
| Triage Endor AI SAST findings | ai-sast-triage |
| Assess CI/CD and supply chain posture | cicd-posture |
| Diagnose Endor setup, scan, auth, policy, or integration issues | endor-troubleshooter |
| Browse, filter, and summarize existing Endor findings | findings-browser |
| Correlate supply-chain malware intelligence against tenant inventory | malware-response |
| Probe GitHub onboarding and monitored-branch coverage gaps | probe-droid |
| Find safe dependency remediation paths with Endor SCA evidence | sca-remediation |
| Compare package risk or a dependency decision | dependency-decision-helper, package-risk-summary |
| Review repository dependencies or remediation options | repository-dependency-reviewer, remediation-planner |
| Analyze upgrade impact or explain vulnerabilities | upgrade-impact-analysis, vulnerability-explainer |
Each workflow above is generated for the supported host packages. Use the selected host README for exact invocation names and install paths.
Use the ai-sast-triage skill to triage AI SAST findings for this repository. Do not edit files, open a PR/MR, or create an Endor policy unless I approve the specific gate.
Use the sca-remediation skill to check this repository for P0 SCA findings I can start remediating. Do not edit files or open a PR/MR until I approve.
Use the probe-droid skill to probe GitHub org <org> for Endor monitored-branch onboarding gaps and setup prescriptions. Keep the workflow read-only.
Use the endor-troubleshooter skill to diagnose this Endor issue from redacted error text and read-only tenant evidence. Keep the workflow read-only.
Use the cicd-posture skill to assess CI/CD and supply chain posture for namespace <namespace>. Keep it read-only and validate the deterministic score.
Use the findings-browser skill to show the critical and high reachable findings for namespace <namespace>. Keep it read-only.
- Setup and read-only workflows must not mutate Endor, source providers, package managers, or repositories.
- Mutating workflows split file edits, branch pushes, PR/MR creation, PR/MR comments, tickets, approval verification, and Endor policy writes into separate approval gates.
- Agents must report unavailable evidence in
data_gapsinstead of inventing facts. - Secret values must never be printed, persisted, copied into prompts, or written into generated artifacts.
- Agent and host catalog:
README.md - Agent-facing operating rules:
docs/for-agents.md - Maintainer workflow:
docs/maintainer-guide.md - Public mirror sync:
docs/distribution-sync.md - Runtime-neutral adapter requirements:
docs/portable-runtime-conformance.md