Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations, the description carries full behavioral disclosure burden. It only states 'Get vulnerability report', implying read-only behavior, but gives no detail about side effects, authentication needs, rate limits, or what the report contains. This is insufficient for safe and accurate agent decision-making.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.