Identify shortest attack paths in Active Directory where users have dangerous permissions to modify the AdminSDHolder object, enabling privilege escalation detection.
Find allshortestpaths with dangerous rights to AdminSDHolder object
| Name | Required | Description | Default |
|---|---|---|---|
| domain | Yes |
Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
No annotations are provided, so the description carries the full burden. It mentions 'dangerous rights' and 'AdminSDHolder object', implying a security-focused read operation, but doesn't disclose behavioral traits like whether it's safe, what 'dangerous rights' entail, potential impacts, rate limits, or output format. This leaves significant gaps for an agent to understand the tool's behavior.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.
Is the description appropriately sized, front-loaded, and free of redundancy?
The description is a single, efficient sentence with no wasted words, making it appropriately sized. However, it could be more front-loaded with key details, and the lack of structure (e.g., separating purpose from context) slightly reduces clarity.
Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.
Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?
Given the complexity implied by 'dangerous rights' and 'AdminSDHolder', no annotations, 0% schema coverage, and no output schema, the description is incomplete. It doesn't explain the tool's scope, security implications, or what results to expect, leaving the agent with insufficient context for safe and effective use.
Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.
Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?
Schema description coverage is 0%, with one parameter 'domain' undocumented in both schema and description. The description adds no meaning beyond the schema, failing to explain what 'domain' represents (e.g., Active Directory domain name) or how it relates to finding paths. This doesn't compensate for the low coverage.
Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.
Does the description clearly state what the tool does and how it differs from similar tools?
The description clearly states the verb 'Find' and the resource 'allshortestpaths with dangerous rights to AdminSDHolder object', making the purpose specific. However, it doesn't explicitly differentiate from sibling tools like 'find_allshortestpaths_with_dcsync_to_domain' or 'find_allshortestpaths_with_shadow_credential_permission', which have similar 'find allshortestpaths' patterns but target different objects or rights.
Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.
Does the description explain when to use this tool, when not to, or what alternatives exist?
The description provides no guidance on when to use this tool versus alternatives. It doesn't mention prerequisites, context, or exclusions, and with many sibling tools focused on paths, rights, or dangerous permissions, the lack of differentiation leaves usage ambiguous.
Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/stevenyu113228/BloodHound-MCP'
If you have feedback or need assistance with the MCP directory API, please join our Discord server