scan_terraform

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations provided, so description carries full burden. It discloses that the tool is pure computation with no LLM, no network, does not run Terraform or touch cloud, and is safe for scanning untrusted HCL. No contradiction with annotations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

Description is well-structured: first sentence states purpose, then examples, when-to-use, and behavior. Every sentence adds value, no fluff. Length appropriate for the information conveyed.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Tool has one parameter and is security-related. Description covers purpose, usage, behavior, and parameter details. Mentions output (severity-graded findings on resource blocks). Complete for this complexity level.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema coverage is 100%, so baseline is 3. Description adds significant value by explaining the parameter is raw HCL source code, typical usage (main.tf), and how the scanner works (parses directly, no terraform binary). Just above baseline.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

Description clearly states it scans Terraform HCL for security misconfigurations, using specific verb 'scan' and resource 'Terraform HCL'. It distinguishes itself from sibling tool security_scan which is for ArchSpec-level audit.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

Explicit 'When to use' section specifies to use this tool when you have existing Terraform code (not an ArchSpec) for an immediate security audit, and directs to security_scan for ArchSpec-level audit. Provides clear context and alternative.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.