ioc_lookup

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Description adds behavioral details beyond annotations: auto-detection of IOC type, multiple source queries, what sources cover which types, and how verdict fields indicate success/failure (sources_queried vs sources_unavailable). No contradiction with annotations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

Description is concise (few sentences), front-loaded with core purpose, then provides necessary details on sources, error handling, and usage guidance. Every sentence adds value without redundancy.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given complexity (multiple IOC types, multiple sources, error handling, rate limits) and presence of output schema, description is remarkably complete. It covers input, behavior, source coverage, failure handling, alternatives, and rate limits.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100% with detailed indicator format examples. Description adds value by explaining auto-detection of type and how the indicator is processed, going beyond the schema's static description.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

Description clearly states it enriches an IOC (IP/domain/URL/hash) by auto-detecting type and querying abuse.ch feeds. It lists per-type source coverage, distinguishing it from sibling tools like threat_intel and hash_lookup.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

Explicitly says 'Use as primary IOC triage tool when type unknown; use threat_intel for domain-only, hash_lookup for richer MalwareBazaar hash data.' Also includes rate limits (Free: 30/hr, Pro: 500/hr), providing clear context on when to use alternatives.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.