HTTP Security Headers

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already indicate the tool is read-only, non-destructive, idempotent, and open-world. The description adds valuable behavioral details: it fetches the URL (implying network access), specifies error conditions for invalid/unreachable URLs, and clarifies the return structure. No contradiction.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is succinct: 4 sentences covering purpose, parameters, output, example, and errors. It front-loads the core action and lists headers clearly. No wasted words; every sentence adds value.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's moderate complexity, the description is fully adequate: it explains what the tool does, what headers it checks, the parameters, the return object, and error handling. The output schema is described sufficiently, and sibling tools are distinct, so no missing context.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100%, setting baseline at 3. The description adds meaning beyond the schema: for 'url' it notes the default scheme (https://), and for 'response_format' it clarifies the default value and output types. The return structure is also detailed, providing context not in the schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description explicitly states the action 'Fetch a URL and grade its HTTP security headers' and lists the specific headers checked (HSTS, CSP, etc.). It clearly distinguishes from sibling tools like ssl_certificate or dns_lookup by focusing on security headers.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description strongly implies the tool is for security header grading, and sibling tools cover other security checks, so an agent can infer usage. However, it lacks explicit guidance on when not to use this tool or mention alternatives, preventing a 5.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.