list_https_outbound_calls

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations are absent, so description carries full burden. It discloses that results have a dashboard_url and mandates clickable links per detection. It also explains the customer parameter fallback to env var and aggregation across all orgs. No contradiction observed.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

Three sentences, front-loaded with purpose and usage context. Each sentence adds value, though the dashboard_url instruction could be embedded more succinctly. No unnecessary repetition.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

No output schema exists, so description must cover return values. It mentions dashboard_url but not other fields like method, path, or timestamp. Gaps in expected output structure reduce completeness for agent invocation.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Input schema has 100% coverage, so baseline is 3. Description adds context for 'customer' (fallback and aggregation) and 'orgScope' (owner-scoped endpoint), but these are already in schema descriptions. No new parameter meaning added beyond schema.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

Description clearly states 'List HTTPS outbound network-call detections (TLS-intercepted calls with method + path)' which is a specific verb+resource. It distinguishes from siblings like list_anomalous_network_calls by focusing on intercepted outbound calls with method and path details.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

Provides a concrete use case: 'when you need to see WHAT an outbound call did — e.g. POSTs to a suspicious endpoint during a build'. This helps contextualize when to use this tool, but does not explicitly exclude alternatives or mention when not to use it.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.