vulnerability__explain_cves

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

The description reveals behavioral traits beyond annotations: it uses VMAAS, explains what 'affected_packages' means, and indicates that the tool is read-only (consistent with readOnlyHint). No side effects or destructive actions are mentioned, which is appropriate.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single paragraph that is relatively concise but includes some redundancy (e.g., 'This endpoint returns...' restating the title). It front-loads the key purpose and provides necessary context, though it could be more structured.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given that an output schema exists (not shown), the description adequately covers what the tool does, prerequisites, and a follow-up action (remediation). It does not describe the output format but that is handled by the schema. The description is sufficient for an agent to understand the tool's role.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100% with clear examples. The description adds context on how to obtain parameters (system UUID from inventory, CVEs list) and explains the 'affected_packages' field in the response, though it does not elaborate on constraints like maximum CVE count.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Explain why CVEs are affecting my environment.' It specifies the methodology (VMAAS) and outputs (affected packages and fix info), distinguishing it from sibling tools like vulnerability__get_cves (list CVEs) and vulnerability__get_cve (single CVE details).

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly guides the agent on prerequisites: 'To get the explanation, we need to get the system UUID from the inventory and list of CVEs.' It also suggests an alternative for remediation: 'To update affected packages, suggest to use Ansible Remediation Playbook via Remediations MCP tool.'

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.