Threat Intelligence MCP Server

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden of behavioral disclosure. It mentions the tool 'gets' data and returns JSON, but fails to describe critical behaviors such as whether this is a read-only operation (implied but not stated), any rate limits, authentication requirements, or what happens with invalid inputs (e.g., negative days). For a tool with no annotation coverage, this leaves significant gaps in understanding its operational traits.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured and front-loaded with the core purpose, followed by clear sections for arguments and returns. Every sentence earns its place: the first states what the tool does, the next two explain parameters succinctly, and the last specifies the return format. There is zero waste, making it easy for an agent to parse quickly.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's moderate complexity (2 parameters, no nested objects) and the presence of an output schema (which handles return values), the description is largely complete. It covers the purpose, parameters, and return format adequately. However, it lacks details on behavioral aspects like error handling or data freshness, which would be helpful since no annotations are provided to fill those gaps.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 0% schema description coverage, the description must compensate by explaining parameters, which it does effectively. It clarifies that 'days' retrieves vulnerabilities added in the last N days with a default of 30, and 'vendor' is an optional filter by vendor name. This adds meaningful context beyond the bare schema, covering both parameters' purposes and defaults, though it could benefit from examples or format details (e.g., vendor name casing).

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose with a specific verb ('Get') and resource ('CISA Known Exploited Vulnerabilities'), making it immediately understandable. It distinguishes itself from sibling tools like 'get_recent_iocs' or 'get_threat_feeds' by focusing specifically on CISA's KEV database, which is a distinct dataset of known exploited vulnerabilities rather than general indicators or feeds.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage through the mention of filtering by days and vendor, suggesting it's for retrieving recent or vendor-specific vulnerabilities. However, it lacks explicit guidance on when to use this tool versus alternatives like 'get_recent_iocs' (which might overlap in recency) or 'check_network_against_threats' (which could involve KEV data), leaving the agent to infer context without clear exclusions or named alternatives.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.