Skip to main content
Glama

tools_arjun

Discover hidden HTTP parameters on target URLs using customizable request methods, headers, wordlists, and concurrent threads for efficient enumeration.

Instructions

Discover hidden HTTP parameters using Arjun.

Args: url: Target URL method: HTTP method (GET, POST, JSON) headers: Custom headers as key:value pairs, comma-separated wordlist: Custom wordlist path on Kali (default: Arjun built-in) delay: Delay between requests in seconds (default: 0) threads: Number of concurrent threads (default: 2) include: Only test these parameters (comma-separated) exclude: Skip these parameters (comma-separated)

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
urlYes
delayNo
methodNoGET
excludeNo
headersNo
includeNo
threadsNo
wordlistNo

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description bears full responsibility for disclosing behavioral traits. It merely lists arguments without explaining the tool's operational behavior—such as making HTTP requests, potential noise, or safety considerations. The agent learns nothing about side effects or requirements beyond what is inferred from parameter names.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is well-structured with a clear purpose statement followed by a bullet list of arguments. It is concise, though the argument list is moderately long. The information is front-loaded and easy to scan.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the existence of an output schema, the description does not need to explain return values. However, it lacks behavioral context (e.g., network activity, concurrency, safety) that would help the agent assess impact. For a tool with 8 parameters and moderate complexity, the description covers inputs but misses operational context.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters4/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Although schema description coverage is 0%, the description provides meaningful explanations for each parameter (e.g., 'url: Target URL', 'method: HTTP method (GET, POST, JSON)'). This compensates well for the missing schema descriptions, adding clarity to each argument. Some descriptions are terse but sufficient.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description explicitly states 'Discover hidden HTTP parameters using Arjun.' This clearly identifies the verb (discover), resource (hidden HTTP parameters), and tool (Arjun). It effectively distinguishes this tool from its siblings, which cover different security testing tasks.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus other similar tools like api_fuzz_endpoint or tools_gobuster. It neither mentions prerequisites, recommended scenarios, nor alternatives, leaving the agent without context for appropriate invocation.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/zebbern/zebbern-kali-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server