security_audit_sbom_continuous

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Beyond annotations (destructiveHint=true, openWorldHint=true), the description details persistent behavior (90-day TTL, Redis), input limits (500 KB), return signals (go_no_go, new_findings), and rate limits (10/min). No contradictions with annotations; adds significant value.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is dense and efficient, covering all essential aspects in a few sentences with no redundant phrases. Important details are front-loaded (persistent watch, formats), and secondary details follow logically.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (stateful watch, multiple actions, persistence), the description covers registration, checking, deregistration, formats, storage, limits, rate limits, auth, and error reporting. Output schema exists, so return values need not be detailed. Complete for effective use.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100%, so baseline is 3. The description reinforces that sbom is required for register, watch_id is unique, and action has three values, but adds no new information beyond the schema's descriptions. Minimal added value.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly defines the tool as a persistent SBOM watch for continuous monitoring of CVEs, differentiating it from sibling one-off scanning tools like security_audit_sbom_vulnerabilities. Specific verbs like 'Register once, check anytime' and supported formats (CycloneDX, SPDX) make purpose unambiguous.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly targets DevSecOps teams monitoring production dependencies and provides rate limits and auth requirements. While it doesn't formally exclude other uses, the context implies a specific niche. The fallback instruction for report_feedback guides when the tool fails to meet needs.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.