security_audit

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations, the description carries the full burden of behavioral disclosure. It mentions 'Audit all indexed components' but doesn't clarify what an audit entails (e.g., is it read-only, does it modify data, does it require specific permissions, what are rate limits, or what happens if vulnerabilities are found?). This leaves critical behavioral traits unspecified for a security-related tool.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence that front-loads the core action and target without unnecessary words. It's appropriately sized for a simple tool, with no wasted language.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity of a security audit tool with no annotations, 1 parameter (poorly documented in schema), and an output schema (which helps but isn't described), the description is incomplete. It lacks details on behavior, usage context, and parameter meaning, making it inadequate for an agent to fully understand the tool's role and invocation.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The description doesn't mention any parameters, while the input schema has 1 parameter with 0% description coverage (only a basic description in the schema). Since schema coverage is low, the description should compensate but doesn't, leaving the 'risk_level' parameter's role unclear. However, with only 1 parameter, the baseline is slightly higher, but the description adds no value beyond the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description states the action ('Audit') and target ('all indexed components for security vulnerabilities'), which provides a basic purpose. However, it's vague about scope and doesn't distinguish from sibling tools like 'security_scan' or 'backfill_security_scans', leaving ambiguity about when to use this specific audit tool versus alternatives.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

No guidance is provided on when to use this tool versus alternatives such as 'security_scan' or 'backfill_security_scans'. The description implies a broad audit but doesn't specify prerequisites, timing, or exclusions, leaving the agent with no clear usage context.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.