cloud-audit

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, description carries the full disclosure burden and successfully notes the authentication requirement (none needed) and return structure (IDs with categories/services). Does not mention idempotency or caching, but covers the critical behavioral constraints for this simple list operation.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

Two efficient sentences. First establishes purpose and critical prerequisite (credentials), second describes return values. No redundancy, front-loaded with the most important constraint.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given zero parameters and existence of output schema, the brief description of return values ('check IDs with their categories and services') is sufficient. The credential disclosure completes the necessary context for a discovery tool.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Zero parameters present with 100% schema coverage (vacuously). Baseline 4 applies as there are no parameters requiring semantic explanation, and the description correctly does not invent parameter documentation.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

Specific verb 'List' with clear resource 'available security checks'. Effectively distinguishes from siblings like 'get_findings' and 'scan_aws' by emphasizing this returns available check definitions/metadata rather than scan results or operational commands.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

Provides concrete usage context with 'no AWS credentials needed', signaling it can be called for discovery before authentication setup. Lacks explicit 'use this before scan_aws' guidance or alternative comparisons, though the credential note is highly practical.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.