update_vulnerability

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

The description adds the permission requirement beyond annotations, which is useful. However, annotations already indicate non-read-only, non-destructive, idempotent, and open-world behavior. The description does not disclose additional behavioral traits like side effects or return format.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single sentence with parenthetical inclusions, efficiently conveying purpose and a key requirement. It is front-loaded and contains no fluff, though a more structured format could improve readability.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the absence of an output schema, the description should explain what the tool returns (e.g., updated record or success status). It also doesn't clarify potential side effects from openWorldHint. While the input is clear, the output is left unspecified.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 100% schema coverage, the baseline is 3. The description essentially repeats the example fields already in the schema description for the 'fields' parameter, adding no new meaning. No additional syntactic or semantic clarification is provided.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the action ('Update a vulnerability entry') and specifies the key fields it affects (state, risk acceptance notes, remediation date). This distinguishes it from read tools like get_vulnerability and other update tools for different entities.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides a precondition ('requires WRITE_ENABLED=true') but does not offer guidance on when to use this tool versus alternatives (e.g., other update tools or create vulnerability). It lacks explicit when-not-to-use instructions or comparisons.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.