scan_code

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Since no annotations are provided, the description carries full burden. It discloses that code is not sent to external APIs, secrets/PII are masked with short evidence, and each finding includes 'why_it_matters' and 'safe_fix'. No contradictions.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is two short paragraphs, front-loading purpose. It is mostly efficient but could be slightly more concise (e.g., the list of issue types could be shortened). Still, no wasted sentences.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool has 5 parameters (1 required) and an output schema, the description adequately covers behavioral aspects and return structure (masking, why_it_matters, safe_fix). However, it fails to explain optional parameters, which is a notable gap for completeness.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0% (no descriptions in input schema). The description only explains the 'code' parameter implicitly (the snippet to scan) but does not detail 'filename', 'language', 'scenario', or 'profile'. It adds value for output structure but not for parameters.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states it scans code for security vulnerabilities (specific verb+resource) and lists types of issues. It distinguishes itself from the sibling tool 'scan_path' by specifying that 'scan_path' is for file/folder paths.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides explicit when-to-use (when user asks about code safety or requests a security review) and when-not-to-use (file/folder paths: use scan_path). This clearly differentiates from alternatives.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.