apmx_detect_patterns

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description must convey behavioral traits. It mentions analyzing runtime behavior and returning risk level and timeline, but does not disclose whether the tool modifies data, requires permissions, or has any side effects. It lacks details on output structure or edge cases (e.g., no patterns found).

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is two sentences, front-loaded with the core purpose, and includes key outputs (risk level, timeline). Every sentence adds value with no redundancy or fluff.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a tool with no output schema, the description provides basic outputs but lacks detail on the structure of the timeline or risk level. It is adequate for selection but not fully comprehensive for a complex detection tool.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100% with clear descriptions for both parameters (file_path and process_index). The description adds context about the patterns detected but does not enhance parameter meaning beyond the schema, so baseline 3 is appropriate.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states it detects injection/evasion/persistence patterns in APMX captured API calls, using MITRE ATT&CK technique IDs. The verb 'detect' and resource 'APMX captured API calls' are specific, and the mention of risk level and timeline distinguishes it from generic analysis tools.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implies usage for analyzing captured APMX files against attack patterns, but does not explicitly state when to use this tool versus siblings like api_detect_patterns or apmx_get_call_details. No when-not-to-use or alternative guidance is given.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.