Skip to main content
Glama

Contrast Scan

contrast_scan
Read-onlyIdempotent

Run an active website security scan with 11 modules to identify misconfigurations and receive severity-ranked vulnerability findings and a grade.

Instructions

Active website security scan: runs the ContrastScan C engine (11 modules — HTTP security headers, SSL/TLS, DNS, redirect chain, information disclosure, cookie flags, DNSSEC, HTTP methods, CORS, HTML hygiene, deep CSP analysis) against the live site and enriches the raw result with severity-ranked vulnerability findings and a letter grade. Use for a hands-on misconfiguration scan; use audit_domain for passive recon (DNS/WHOIS/SSL/threat intel) and scan_headers for headers only. Active outbound fetch — a per-target eTLD+1 throttle (60 req/min) applies. Free: 30/hr (costs 6 tokens), Pro: 500/hr. Returns {domain, resolved_ip, total_score, max_score, grade, findings, findings_count, headers, ssl, dns, redirect, disclosure, cookies, dnssec, methods, cors, html, csp_analysis, enterprise, summary, next_calls}.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
domainYesRoot domain to scan, without protocol or path (e.g. 'example.com'). Bare IPs and private-resolving domains are rejected.

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations declare readOnlyHint, openWorldHint, idempotentHint, and not destructive. The description adds key behavioral details: active outbound fetch, per-target throttle, rejection of bare IPs/private domains, and token costs. No contradiction with annotations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single dense sentence that packs many details. It is front-loaded with the main purpose. While slightly verbose, every sentence earns its place, but could be more readable with breaks.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (11 modules, many return fields), the description covers purpose, usage, behavioral constraints, and output structure. The presence of an output schema (mentioned) and full parameter schema coverage makes the description complete enough for correct invocation.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The schema covers the single parameter 'domain' with description. The description goes beyond by clarifying that bare IPs and private-resolving domains are rejected. With 100% schema coverage, baseline is 3; the extra context raises it to 4.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly identifies the tool as an active website security scan using the ContrastScan C engine with 11 modules. It specifies the resource (live site) and the output (severity-ranked findings and letter grade). It also distinguishes itself from sibling tools like audit_domain and scan_headers, fulfilling the specificity requirement.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines5/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Explicit guidance: 'Use for a hands-on misconfiguration scan; use audit_domain for passive recon... and scan_headers for headers only.' Also mentions rate limits (60 req/min) and token costs, providing clear when-to-use and when-not-to-use context.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/UPinar/contrastapi'

If you have feedback or need assistance with the MCP directory API, please join our Discord server