Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?
With no annotations provided, the description carries full burden for behavioral disclosure. 'Test for authentication bypass vulnerabilities' implies this performs potentially intrusive security testing, but doesn't specify whether it's passive or active, what permissions are needed, what side effects it might have, or what the output looks like. For a security testing tool with zero annotation coverage, this is insufficient.
Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.