assess_security_posture

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations indicate readOnlyHint=true and openWorldHint=false, which the description doesn't contradict. The description adds valuable behavioral context about what the assessment includes (findings correlation, compliance status, risk scoring, recommendations, resource analysis) that goes beyond the annotations. However, it doesn't mention rate limits, authentication requirements, or execution time.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is appropriately sized and front-loaded with the core purpose. The bulleted list efficiently communicates key capabilities. While comprehensive, every sentence adds value, though the final usage sentence could be more concise.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity and the presence of an output schema, the description provides good context about what the assessment includes and when to use it. With annotations covering safety aspects and an output schema handling return values, the description focuses appropriately on the tool's purpose and capabilities.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

With 0% schema description coverage, the description doesn't explain any of the 5 parameters (scope, target, frameworks, severity_threshold, include_recommendations). However, it does mention 'multi-framework compliance assessment' which relates to the frameworks parameter, and 'prioritized findings' which relates to severity_threshold. This provides some context but doesn't fully compensate for the schema coverage gap.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the specific action ('perform comprehensive security assessment') and resource ('AWS infrastructure'), distinguishing it from sibling tools like get_server_info and health_check. It provides detailed scope including multi-service orchestration and multi-framework compliance assessment.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

Explicit guidance is provided: 'Use this tool to get a comprehensive understanding of your AWS security posture and identify the most critical security issues that need attention.' This clearly defines when to use this tool versus simpler sibling tools like health_check or get_server_info.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.