scan_dependencies

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description fully bears the burden of transparency. It discloses that the tool 'Reads the file directly' and checks against the OSV database, making its operation clear. There is no contradiction with annotations (none exist).

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is concise with three sentences: the first states the core functionality, the second adds a key behavioral detail, and the third provides usage guidance. Every sentence earns its place with no redundancy or fluff.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Despite having no output schema, the description does not fully explain the return value structure beyond output format options. For example, it doesn't specify whether the tool returns a list of CVEs, severity levels, per-dependency results, or a summary. This gap makes the description less complete for an agent to understand what to expect.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has 100% coverage for both parameters, meaning the schema already documents them. The description adds value by explaining that the tool reads the file directly (context for manifest_path) and by elaborating on the output format options (human vs machine-readable). This exceeds the baseline of 3.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: parse a lockfile/manifest and check dependencies for known CVEs via the OSV database. The verb 'Parse' and resources 'lockfile or manifest' specify the action and target, and the description distinguishes it from sibling tools like 'check_dependencies' by mentioning direct file reading and the OSV database.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly provides usage context: 'Use this after installing dependencies, during CI, or when auditing existing projects for vulnerable packages.' This covers when to use the tool, though it does not mention when not to use it or suggest alternatives, which would improve the score.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.