Brute-force directories, files, DNS subdomains, and virtual hosts on web servers to discover hidden resources.
Directory/file brute forcing
| Name | Required | Description | Default |
|---|---|---|---|
| url | Yes | ||
| session_id | Yes | ||
| mode | No | dir |
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations present, the description bears full responsibility for disclosing behavioral traits. It fails to convey that gobuster is a brute-forcing tool that may generate significant network traffic, require specific permissions, or have rate-limiting considerations. The brief phrase does not indicate whether the tool is read-only or destructive.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is extremely concise (three words), but conciseness is not helpful when it sacrifices essential information. It front-loads nothing of value and leaves the agent guessing about critical details. A more balanced description would include at least the modes and parameter roles.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the tool complexity (3 parameters, one enum, no output schema), the description is woefully incomplete. It does not explain how to use the tool, what the returned output looks like, or any constraints on the URL or session_id. This leaves an agent unable to invoke the tool correctly without external knowledge.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
The input schema has 0% description coverage, meaning no parameter descriptions exist. The tool description does not compensate by explaining the purpose of url, session_id, or mode (e.g., how mode = 'dns' changes behavior). For a tool requiring session_id and offering multiple modes, this omission severely impairs correct usage.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description 'Directory/file brute forcing' gives a general idea but fails to mention that the tool also supports DNS and vhost modes, as indicated by the mode enum. This omission could mislead an agent into thinking it only does directory/file brute forcing, while it actually has broader capabilities. Sibling tools like ffuf and wfuzz also perform similar tasks, so more specificity is needed.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
No guidance is provided on when to use gobuster versus its siblings like ffuf, wfuzz, or nmap. An agent would have no context to decide which tool is appropriate for a given task. The description does not mention any prerequisites, such as the need for a valid session_id or URL format.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/MohitSahoo/MCPToolForWebVulnerabilities-'
If you have feedback or need assistance with the MCP directory API, please join our Discord server