disk_parse_mft

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description must disclose behavioral traits. It correctly describes the tool as parsing and analyzing timestamps, implying it is read-only. However, it does not explicitly state that it does not modify data, require special permissions, or have rate limits, leaving some behavioral gaps.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is concise (three sentences) and front-loaded with the core action. It efficiently conveys purpose, scope, and key features without extraneous detail, making it easy for an agent to parse.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Despite no output schema, the description hints at return values (metadata, timestamps, ADS). It covers the tool's main capabilities and questions it answers. For a complex tool with 10 parameters, it provides sufficient context, though it could briefly mention output structure.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Input schema covers all parameters (100% coverage), so the description's role is minimal. It adds context by tying parameters to the tool's purpose (e.g., timestomping detection), but does not enrich individual parameter descriptions beyond what the schema already provides.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool parses $MFT for file metadata, ADS, and timestomping detection, distinguishing it from sibling disk parsing tools (e.g., disk_parse_prefetch). It answers specific forensic questions, leaving no ambiguity about its function.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description implicitly guides usage by highlighting timestomping detection and named stream analysis, which differentiates it from other disk parsers. It provides explicit answers to common forensic queries, helping an agent decide when to invoke this tool, but lacks explicit 'when not to use' or alternative tool references.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.