vulnerability__get_systems

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

The annotations already indicate readOnlyHint=true, so the description doesn't need to restate. It adds that both affected and not affected systems are returned, and lists returned fields. However, it does not disclose pagination behavior, rate limits, or sorting default beyond what the schema provides.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is two sentences plus a note about the OpenAPI spec. It is front-loaded with the core purpose and conveys key information without redundancy.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the 6 parameters (all optional with descriptions), an existing output schema, and no nested objects, the description sufficiently covers the tool's behavior. It mentions the returned fields and the scope (both affected and not affected), providing a complete picture for a list endpoint.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has 100% description coverage, so the baseline is 3. The description does not add meaning beyond the schema; it mentions response fields (last check-in, etc.) but not input parameters. No additional value for parameter semantics.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

Description clearly states it retrieves a list of systems from the Vulnerability inventory, including specific fields like last check-in, system name, workspace name, RHEL version, and CVE count. It distinguishes from siblings like vulnerability__get_cve_systems by noting it returns both affected and not affected systems, but could be more explicit.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

No guidance provided on when to use this tool versus alternatives (e.g., vulnerability__get_cve_systems, vulnerability__get_system_cves). The description only states what it does, not the context or prerequisites.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.