TurboPentest

List Pentests

list_pentests

View and manage penetration tests with status and finding counts to track security assessments in TurboPentest.

Instructions

List all your pentests with status and finding counts. Results are ordered newest first.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`limit`	No	Maximum number of results to return
`status`	No	Filter by scan status

Implementation Reference

src/tools/list-pentests.ts:5-81 (registration)

Registration of the 'list_pentests' MCP tool.

export function registerListPentests(server: McpServer, client: TurboPentestClient): void {
  server.registerTool(
    "list_pentests",
    {
      title: "List Pentests",
      description:
        "List all your pentests with status and finding counts. " +
        "Results are ordered newest first.",
      inputSchema: z.object({
        limit: z
          .number()
          .int()
          .min(1)
          .max(100)
          .default(10)
          .describe("Maximum number of results to return"),
        status: z
          .enum(["queued", "scanning", "complete", "failed"])
          .optional()
          .describe("Filter by scan status"),
      }),
    },
    async ({ limit, status }) => {
      try {
        let scans = await client.listPentests();

        if (status) {
          scans = scans.filter((s) => s.status === status);
        }

        scans = scans.slice(0, limit);

        if (scans.length === 0) {
          return {
            content: [
              {
                type: "text" as const,
                text: status
                  ? `No pentests found with status "${status}".`
                  : "No pentests found. Use start_pentest to launch one.",
              },
            ],
          };
        }

        const lines = [`Pentests (showing ${scans.length})`, ""];

        for (const scan of scans) {
          const severityCounts: Record<string, number> = {};
          for (const f of scan.findings ?? []) {
            severityCounts[f.severity] = (severityCounts[f.severity] || 0) + 1;
          }
          const findingSummary = Object.entries(severityCounts)
            .map(([sev, count]) => `${count} ${sev}`)
            .join(", ");

          lines.push(
            `  ${scan.id}`,
            `    Target:   ${scan.targetUrl}`,
            `    Status:   ${scan.status}`,
            `    Created:  ${scan.createdAt}`,
            `    Findings: ${findingSummary || "none"}`,
            "",
          );
        }

        return { content: [{ type: "text" as const, text: lines.join("\n") }] };
      } catch (error) {
        const message = error instanceof Error ? error.message : String(error);
        return {
          content: [{ type: "text" as const, text: `Failed to list pentests: ${message}` }],
          isError: true,
        };
      }
    },
  );
}

src/tools/list-pentests.ts:13-25 (schema)

Zod schema for 'list_pentests' tool arguments.

inputSchema: z.object({
  limit: z
    .number()
    .int()
    .min(1)
    .max(100)
    .default(10)
    .describe("Maximum number of results to return"),
  status: z
    .enum(["queued", "scanning", "complete", "failed"])
    .optional()
    .describe("Filter by scan status"),
}),

src/tools/list-pentests.ts:27-79 (handler)

The handler function that executes the tool logic, including filtering and formatting the pentest scan results.

async ({ limit, status }) => {
  try {
    let scans = await client.listPentests();

    if (status) {
      scans = scans.filter((s) => s.status === status);
    }

    scans = scans.slice(0, limit);

    if (scans.length === 0) {
      return {
        content: [
          {
            type: "text" as const,
            text: status
              ? `No pentests found with status "${status}".`
              : "No pentests found. Use start_pentest to launch one.",
          },
        ],
      };
    }

    const lines = [`Pentests (showing ${scans.length})`, ""];

    for (const scan of scans) {
      const severityCounts: Record<string, number> = {};
      for (const f of scan.findings ?? []) {
        severityCounts[f.severity] = (severityCounts[f.severity] || 0) + 1;
      }
      const findingSummary = Object.entries(severityCounts)
        .map(([sev, count]) => `${count} ${sev}`)
        .join(", ");

      lines.push(
        `  ${scan.id}`,
        `    Target:   ${scan.targetUrl}`,
        `    Status:   ${scan.status}`,
        `    Created:  ${scan.createdAt}`,
        `    Findings: ${findingSummary || "none"}`,
        "",
      );
    }

    return { content: [{ type: "text" as const, text: lines.join("\n") }] };
  } catch (error) {
    const message = error instanceof Error ? error.message : String(error);
    return {
      content: [{ type: "text" as const, text: `Failed to list pentests: ${message}` }],
      isError: true,
    };
  }
},

Tool Definition Quality

B3.3/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries full burden for behavioral disclosure. It mentions ordering ('newest first') and what data is returned ('status and finding counts'), but doesn't cover important aspects like pagination behavior (only mentions 'limit' parameter), authentication requirements, rate limits, error conditions, or whether this is a read-only operation. For a listing tool with no annotation coverage, this leaves significant gaps.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence with zero wasted words. It's front-loaded with the core purpose and includes only essential additional details about ordering and data included. Every element earns its place.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a listing tool with 2 parameters (fully documented in schema) and no output schema, the description provides basic but incomplete context. It covers what data is returned and ordering, but lacks information about response format, pagination beyond the 'limit' parameter, error handling, and authentication requirements. Given the complexity level and absence of annotations/output schema, this is minimally adequate but has clear gaps.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema fully documents both parameters. The description doesn't add any parameter-specific information beyond what's in the schema (no syntax hints, format details, or usage examples). This meets the baseline of 3 when the schema does the heavy lifting.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the verb ('List') and resource ('all your pentests') with additional details about what information is included ('status and finding counts'). It distinguishes from some siblings like 'get_pentest' (singular) and 'start_pentest' (creation), but doesn't explicitly differentiate from 'list_domains' which is a similar listing operation for a different resource.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines3/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage by mentioning ordering ('newest first'), but provides no explicit guidance on when to use this tool versus alternatives like 'get_pentest' (for a specific pentest) or 'get_findings' (for detailed findings). No prerequisites, exclusions, or comparative context with siblings is provided.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/IntegSec/turbopentest-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server