check_dependencies

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already indicate readOnly=true, destructive=false, idempotent=true. The description adds substantial behavioral details: 50-package limit, rate limits, return structure (findings, total, by_severity, summary), and the conditional behavior of the 'fixed_in' field (omitted for open-ended ranges) with corresponding remediation copy changes. No contradictions with annotations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is front-loaded with the main purpose, followed by constraints, comparison, rate limits, return structure, and behavioral nuance. Every sentence adds value, though it is slightly verbose in detailing the 'fixed_in' behavior. Overall, it is well-structured and efficient.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (multiple ecosystems, CVE lookups, rate limits, conditional return fields), the description covers all essential aspects: purpose, usage constraints, behavioral details, and return format. An output schema exists, so the high-level return description is sufficient. The description is complete and leaves no critical gaps.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100% with a detailed parameter description for 'packages', including structure, limits, and example. The description adds little beyond the schema, only echoing the restrictions. Since the schema already provides adequate semantic meaning, a baseline score of 3 is appropriate.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool audits project dependencies against CVE database, specifying supported ecosystems (npm/PyPI/Maven/RubyGems/etc.). It explicitly distinguishes from sibling 'cve_lookup' for single CVEs, making the purpose highly specific and well-differentiated.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides clear context for when to use (dependency security scanning) and mentions cve_lookup as alternative for single CVEs. Rate limits (30/hr Free, 500/hr Pro) are given. However, it does not differentiate from the sibling 'bulk_cve_lookup', which could be a similar bulk tool, leaving a minor gap in usage guidance.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.