breachPassword

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description must disclose all behavioral traits. It reveals that only the first 5 characters of the SHA-1 hash are sent (privacy), and that no API key is needed. However, it does not describe the response format (e.g., boolean, count), rate limits, or error handling. The description adds some transparency but misses key behavioral details for a tool that expects a response.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is exceptionally concise: two sentences cover purpose, privacy method, and cost. Every word adds value. There is no fluff or repetition. It is front-loaded with the main action and then provides essential context.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given that there is no output schema, the description should explain what the agent can expect as a result. It says 'Check if a password has appeared' but does not specify the return format (e.g., boolean, count, or summary). For a single-parameter tool without output schema, this gap reduces completeness. The input handling is well covered, but output is missing.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has one parameter 'password' with a generic description. The description adds significant meaning beyond the schema: it explains that the password is SHA-1 hashed and only the first 5 characters are sent (k-anonymity). This tells the agent how the parameter is processed internally, which is valuable for understanding privacy and security implications.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the verb 'Check' and the resource 'password has appeared in known data breaches'. It uses the specific 'Pwned Passwords k-anonymity API', which distinguishes it from sibling tools like breachSearch that check accounts or domains. The purpose is unambiguous and specific.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides practical context: it explains that only the first 5 characters of the SHA-1 hash are sent (privacy feature) and that it is free with no API key required. This helps the agent understand when to use this tool (low-barrier, privacy preserving). However, it does not explicitly state when not to use or mention alternatives among the siblings.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.