inkog

Overview Schema Related Servers Score Discussions

inkog_explain_finding

Explain security findings from scans and provide step-by-step remediation guidance with code examples to fix vulnerabilities in AI agents.

Instructions

Get detailed explanation and remediation guidance for a security finding or pattern. Includes what the issue is, why it's dangerous, step-by-step fixes, and code examples. Use this after scanning to understand how to fix security findings.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`finding_id`	No	Finding ID from scan results (e.g., "f8a3b2c1")
`pattern`	No	Pattern name: prompt-injection, infinite-loop, sql-injection-llm, token-bombing, hardcoded-credentials, missing-rate-limits, recursive-delegation, etc.

Implementation Reference

src/tools/explain.ts:72-241 (handler)

The explainHandler function performs the API call to Inkog and formats the response for the tool output.

async function explainHandler(rawArgs: Record<string, unknown>): Promise<ToolResult> {
  // Validate arguments
  const parseResult = ExplainArgsSchema.safeParse(rawArgs);
  if (!parseResult.success) {
    return {
      content: [
        {
          type: 'text',
          text: `Invalid arguments: ${parseResult.error.message}\n\nProvide either finding_id (from scan results) or pattern name.`,
        },
      ],
      isError: true,
    };
  }

  const args: ExplainArgs = parseResult.data;

  try {
    // Call Inkog API
    const client = getClient();
    const explainOptions: { findingId?: string; pattern?: string } = {};
    if (args.finding_id !== undefined) {
      explainOptions.findingId = args.finding_id;
    }
    if (args.pattern !== undefined) {
      explainOptions.pattern = args.pattern;
    }
    const response = await client.explainFinding(explainOptions);

    // Build formatted output
    let output = '╔══════════════════════════════════════════════════════╗\n';
    output += '║           📖 Security Finding Explanation             ║\n';
    output += '╚══════════════════════════════════════════════════════╝\n\n';

    // Title and metadata
    output += `🔍 ${response.title}\n`;
    output += `   Pattern: ${response.pattern_id}\n`;
    output += `   Severity: ${formatSeverityBadge(response.severity)}\n`;
    output += `   Category: ${response.category}\n`;

    // CWE - backend sends as array
    if (response.cwe !== undefined && response.cwe.length > 0) {
      output += `   CWE: ${response.cwe.join(', ')}\n`;
    }
    // OWASP - backend sends as array
    if (response.owasp !== undefined && response.owasp.length > 0) {
      output += `   OWASP LLM: ${response.owasp.join(', ')}\n`;
    }

    output += '\n';

    // Description
    output += '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\n';
    output += '📝 DESCRIPTION\n\n';
    output += response.description + '\n\n';

    // Impact
    if (response.impact) {
      output += '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\n';
      output += '💥 POTENTIAL IMPACT\n\n';
      output += response.impact + '\n\n';
    }

    // Remediation
    if (response.remediation) {
      output += '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\n';
      output += '🔧 HOW TO FIX\n\n';
      output += response.remediation + '\n\n';
    }

    // Remediation steps - backend sends as string[]
    if (response.remediation_steps && response.remediation_steps.length > 0) {
      output += '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\n';
      output += '📋 REMEDIATION STEPS\n\n';
      for (let i = 0; i < response.remediation_steps.length; i++) {
        output += `${i + 1}. ${response.remediation_steps[i]}\n`;
      }
      output += '\n';
    }

    // Code examples - backend sends as examples: { vulnerable, secure }
    if (response.examples !== undefined) {
      output += '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\n';
      output += '📝 CODE EXAMPLES\n\n';

      output += '❌ Vulnerable:\n';
      output += `\`\`\`\n${response.examples.vulnerable}\n\`\`\`\n\n`;

      output += '✅ Secure:\n';
      output += `\`\`\`\n${response.examples.secure}\n\`\`\`\n\n`;
    }

    // References - backend sends as { title, url }[]
    if (response.references !== undefined && response.references.length > 0) {
      output += '━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n\n';
      output += '📚 REFERENCES\n\n';
      for (const ref of response.references) {
        output += `• ${ref.title}: ${ref.url}\n`;
      }
    }

    return {
      content: [
        {
          type: 'text',
          text: output,
        },
      ],
    };
  } catch (error) {
    if (error instanceof InkogAuthError) {
      return {
        content: [
          {
            type: 'text',
            text: '🔐 API Key Required\n\nGet your free key at https://app.inkog.io',
          },
        ],
        isError: true,
      };
    }

    if (error instanceof InkogRateLimitError) {
      return {
        content: [
          {
            type: 'text',
            text: `⏱️ Rate Limited\n\nToo many requests. Please retry after ${error.retryAfter} seconds.`,
          },
        ],
        isError: true,
      };
    }

    if (error instanceof InkogNetworkError) {
      return {
        content: [
          {
            type: 'text',
            text: `Network error: ${error.message}`,
          },
        ],
        isError: true,
      };
    }

    if (error instanceof InkogApiError) {
      return {
        content: [
          {
            type: 'text',
            text: `API error: ${error.message}${error.details ? `\n\nDetails: ${JSON.stringify(error.details)}` : ''}`,
          },
        ],
        isError: true,
      };
    }

    const message = error instanceof Error ? error.message : 'Unknown error occurred';
    return {
      content: [
        {
          type: 'text',
          text: `Error: ${message}`,
        },
      ],
      isError: true,
    };
  }
}

src/tools/explain.ts:28-43 (schema)

ExplainArgsSchema validates the inputs for the inkog_explain_finding tool.

const ExplainArgsSchema = z
  .object({
    finding_id: z
      .string()
      .optional()
      .describe('Finding ID from scan results (e.g., "f8a3b2c1")'),
    pattern: z
      .string()
      .optional()
      .describe(
        'Pattern name: prompt-injection, infinite-loop, sql-injection-llm, token-bombing, hardcoded-credentials, missing-rate-limits, recursive-delegation, etc.'
      ),
  })
  .refine((data) => data.finding_id !== undefined || data.pattern !== undefined, {
    message: 'Either finding_id or pattern must be provided',
  });

src/tools/explain.ts:247-268 (registration)

The explainTool definition registers the tool name, description, schema, and handler.

export const explainTool: ToolDefinition = {
  tool: {
    name: 'inkog_explain_finding',
    description:
      'Get detailed explanation and remediation guidance for a security finding or pattern. Includes what the issue is, why it\'s dangerous, step-by-step fixes, and code examples. Use this after scanning to understand how to fix security findings.',
    inputSchema: {
      type: 'object',
      properties: {
        finding_id: {
          type: 'string',
          description: 'Finding ID from scan results (e.g., "f8a3b2c1")',
        },
        pattern: {
          type: 'string',
          description:
            'Pattern name: prompt-injection, infinite-loop, sql-injection-llm, token-bombing, hardcoded-credentials, missing-rate-limits, recursive-delegation, etc.',
        },
      },
    },
  },
  handler: explainHandler,
};

Tool Definition Quality

A3.9/5.0

Behavior3/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It describes the tool's output content ('what the issue is, why it's dangerous, step-by-step fixes, and code examples') but doesn't mention performance characteristics, error handling, or authentication requirements that would be helpful for a security tool.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is efficiently structured in two sentences with zero waste. The first sentence clearly states the tool's purpose and output format, while the second provides usage guidance, with every element earning its place.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a tool with no annotations and no output schema, the description provides adequate context about what the tool does and when to use it, but lacks details about response format, error conditions, or limitations that would be helpful for a security remediation guidance tool.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 100% schema description coverage, the schema already documents both parameters thoroughly. The description doesn't add any meaningful parameter semantics beyond what's in the schema, so it meets the baseline for high schema coverage.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose with specific verbs ('Get detailed explanation and remediation guidance') and resources ('for a security finding or pattern'), distinguishing it from sibling scanning tools by focusing on post-scan analysis rather than detection.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides clear context for when to use this tool ('Use this after scanning to understand how to fix security findings'), but doesn't explicitly state when not to use it or name specific alternatives among the sibling tools.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/inkog-io/inkog'

If you have feedback or need assistance with the MCP directory API, please join our Discord server