rubeus_kerberoast

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Without annotations, the description carries the full burden. It explains that the tool requests TGS tickets encrypted with password hashes, mentions OPSEC considerations (AES vs RC4), and notes the output format for hashcat/John. It does not disclose prerequisites like domain credentials or potential alerts, but covers key behavioral aspects.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is concise with three short paragraphs and bullet points for features. It is front-loaded with the primary purpose. While not as lean as one sentence, it efficiently communicates key details without unnecessary verbosity.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

With 23 parameters and no output schema, the description covers the overall goal, key features, and output format. It addresses targeting, stealth, filtering, and output compatibility. Minor gaps like exact return structure or credential requirements exist, but completeness is high for a complex offensive security tool.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100%, so baseline is 3. The description adds meaningful context beyond the schema by grouping features (e.g., targeting, stealth, filtering) and explaining the purpose of advanced options like aes, stats, and ldapfilter. This extra value justifies a 4.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool performs a Kerberoasting attack to extract service account password hashes, using the specific verb 'Perform' and resource. It distinguishes from sibling tools like rubeus_asreproast by focusing on TGS ticket requests for SPN accounts, leaving no ambiguity about its unique purpose.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage for offline cracking of service account passwords and lists relevant features, providing clear context for when to use the tool. However, it lacks explicit exclusions or alternative tool references, though the sibling list makes the distinction apparent.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.