generate_finding

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already indicate read-only, non-destructive, idempotent behavior. The description adds that the tool fetches details and formats a professional finding with severity, CVSS, description, etc. This provides meaningful context beyond the annotations without contradiction.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is two sentences plus a concrete example, efficiently conveying all necessary information. The main action, input, output format, and optional fields are front-loaded, with no superfluous content.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a tool without an output schema, the description sufficiently outlines the output (Markdown finding with severity, CVSS, description, etc.). It covers input, processing, and output fields. However, it does not specify the exact structure or confirm whether the output is always a string, but the example bridges this gap.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

All three parameters are documented in the schema with types and descriptions. The tool description adds context by stating optionality and providing an example that illustrates realistic usage. This adds value beyond the schema, though the schema already covers the basics.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool generates a pentest report finding in Markdown format, specifying the input types (CVE/EIP IDs) and optional fields. The example solidifies the use case. It differentiates from siblings like get_vulnerability by focusing on formatted report output rather than raw data.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description describes what the tool does and includes an example, but does not explicitly advise when to use this tool versus alternatives like get_vulnerability or get_exploit_analysis. The guidance is implied but not explicit, leaving room for ambiguity.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.