run_logtest

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries the full burden. It describes the tool as a test/analysis engine that does not modify state, which is consistent with its purpose. However, it does not disclose potential prerequisites (e.g., OSSEC must be running), authentication requirements, or any limitations. Given the test nature, the behavioral disclosure is adequate but not exhaustive.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is concise and well-structured: a short lead sentence, then a more detailed explanation, followed by formatted Args and Returns sections, plus example log lines. Every sentence adds value, and there is no wasted text. The structure is front-loaded with the essential purpose.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given that the tool has an output schema (so return format is largely covered) and is a straightforward diagnostic tool, the description is nearly complete. It explains inputs, outputs, and provides examples. It could be enhanced by mentioning that OSSEC must be active, but that is implicit. Overall, it provides sufficient context for an agent to use the tool correctly.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The description includes an 'Args' section that explains both parameters: log_line (with example log entries) and verbose (meaning of True). This adds significant meaning beyond the basic schema, especially since schema coverage is 0%. The examples are helpful for users unfamiliar with OSSEC log formats.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: testing a log line against OSSEC rules and decoders to see decoding, rule matches, and alert level. It uses specific verbs ('Test', 'Runs') and resources ('log line against OSSEC rules and decoders'). Among sibling tools, it stands out as a debugging/testing tool, distinct from management tasks like get_rules or add_agent.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly says 'Extremely useful for debugging rules and decoders', providing clear context for when to use the tool. It does not explicitly state when not to use it or name alternatives, but the sibling tools do not directly compete (e.g., get_rules provides rule listings, not testing). The usage guidance is solid but lacks exclusionary criteria.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.