DepScope

get_vulnerabilities

Read-onlyIdempotent

Check for known CVEs and OSV advisories affecting a package across 17 ecosystems. Specify ecosystem and package name to get vulnerability count, severity, CVSS scores, and fixed version. Identifies security issues before use.

Instructions

CVE/OSV advisories affecting the latest (or specified) version. USE WHEN: security-sensitive project; user asks 'any CVEs in X'; you already know the pkg exists. RETURNS: {vulnerability_count, vulnerabilities[]: {id, severity, cvss, fixed_in}}.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`ecosystem`	Yes
`package`	Yes

Tool Definition Quality

B3.2/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already cover safety (read-only, idempotent). Description adds return format but contains a misleading mention of 'specified version' while input schema has no version parameter, causing confusion.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Compact two sentences plus a return block, well-structured with USE WHEN and RETURNS. However, the inaccurate version mention wastes space.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Despite providing return structure, the description introduces an unsupported version concept and does not fully address the tool's capabilities given the schema. Missing explanation of how to use for latest vs. specific version.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters1/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 0%, and description fails to explain the 'ecosystem' or 'package' parameters. The mention of 'specified version' is incorrect given the schema, adding no value and causing harm.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

Description clearly states it retrieves CVE/OSV advisories for a package, with specific usage conditions. It distinguishes from siblings that check other aspects like maliciousness or typosquatting.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Provides explicit 'USE WHEN' conditions (security-sensitive, user asks about CVEs, package exists). Lacks explicit when-not-to-use or alternatives, but context is clear enough.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/cuttalo/depscope'

If you have feedback or need assistance with the MCP directory API, please join our Discord server