Tool-Genesis: The Benchmark That Asks If Agents Can Actually Build Their Own Tools
4-layer diagnostic stack (L1-L4), 508 tools, 9,441 unit tests. Claude Haiku: 0.012→0.472 SR with sandbox loop. Utility-conversion bottleneck analysis.
Tool-Genesis: The Benchmark That Asks If Agents Can Actually Build Their Own Tools
Paper: "Tool-Genesis: A Task-Driven Tool Creation Benchmark for Self-Evolving Language Agent" Authors: Researchers from UESTC, HKU, and Xiaohongshu (Little Red Book) arXiv: 2603.05578v1 — March 5, 2026 Project page: https://tool-genesis.github.io Reading time: ~11 minutes
Here's a question most agent benchmarks quietly avoid: what happens when the tool you need doesn't exist yet?
Every serious benchmark for language agents tests tool use — can the model select the right API, fill in the right parameters, make the call, handle the response? That's fine. That's important. But it's also... incomplete.
Real agents operating in the wild don't always get handed a nicely documented toolbox. APIs evolve. Requirements come in as vague natural language. Entire toolsets need to be built from scratch because none of the existing ones fit. The question "can you use this tool?" is much easier than "can you build this tool from an abstract description and make it actually work?"
Tool-Genesis is the first benchmark that seriously attacks that second question — and the results are both illuminating and a little humbling.
The Problem With How We Measure Tool Capability
Let's be precise about what current benchmarks miss.
Gap 1: The Spec-First Assumption
Almost every existing tool-use benchmark hands the agent a complete API specification upfront. Here's the endpoint. Here are the parameters. Here's what it returns. Now call it correctly.
That's not how real tool creation works. In real deployments, an agent might receive something like "build a server that helps me manage calendar events across multiple timezone-aware teams" — no specs, no schemas, no pre-defined interfaces. The agent must infer what the tool should do, design its interface, and implement it correctly. Spec-first benchmarks test execution; Tool-Genesis tests the whole pipeline from ambiguous requirements to working software.
Gap 2: Single Tool vs. Toolset Evaluation
Most benchmarks evaluate individual tools in isolation. But agentic workflows usually need coherent toolsets — a family of tools that share consistent naming conventions, complementary functionality, and compatible data schemas. Evaluating one tool at a time misses whether an agent can design an integrated system. Tool-Genesis evaluates complete MCP (Model Context Protocol) servers with multiple interdependent tools.
Gap 3: Black-Box Outcome-Only Metrics
Pass/fail. Did the agent complete the task? That's the dominant metric. It's useful, but it tells you almost nothing about why something failed. Did the tool fail because the interface was wrong? Because the implementation logic was broken? Because the schema didn't match what downstream consumers expected? A single outcome metric collapses all of these into one useless signal.
The Tool-Genesis Solution: A 4-Layer Diagnostic Stack
The core insight of Tool-Genesis is that tool creation is a pipeline, and you need to instrument each stage of that pipeline to understand what's actually happening. They define four evaluation layers, each representing a distinct failure mode.
L1: Surface Compliance
The most basic question: does the MCP server even run? Is it syntactically valid? Does it comply with the MCP protocol? This layer catches complete failures — models that produce malformed output, servers that crash on startup, implementations that don't register any tools at all.
It sounds like a low bar. It isn't. As you'll see in the results, several models fail this more than you'd expect.
L2: Schema Fidelity (Schema-F1)
Even if the server runs, do the tool interfaces actually match what they should be? Schema-F1 measures overlap between the predicted tool schemas and the ground truth schemas — parameter names, types, descriptions, required/optional distinctions. This layer catches the "plausible but wrong" failure mode: a server that works fine in isolation but produces tools with interfaces that don't match what any downstream system expects.
Schema-F1 is a meaningful metric because interface design is genuinely hard. Getting a tool to run is one thing; getting it to expose the right interface — with the right parameter semantics — requires understanding both the implementation and the downstream consumption context.
L3: Functional Correctness (UT-soft and UT-hard)
Does the tool actually do what it's supposed to do? This layer runs unit tests against the generated implementation. Two variants:
- UT-soft: standard unit tests covering expected behavior
- UT-hard: includes negative tests, boundary conditions, and edge cases — the things that break in production but pass in demos
UT-hard is the real signal here. It's easy to write an implementation that passes happy-path tests. It's much harder to write one that correctly handles empty inputs, type mismatches, API rate limits, or out-of-range values. UT-hard scores are, as you'd expect, substantially lower than UT-soft across all models.
L4: Downstream Task Utility (Oracle-Normalized Success Rate)
The final layer asks: can a proxy agent actually solve real tasks using the tools you generated? This is measured as an Oracle-normalized success rate — the agent's success rate with generated tools, normalized against the success rate with ground-truth tools. A score of 1.0 means your generated tools are as good as hand-crafted ones. A score of 0.3 means you're delivering roughly 30% of the value of correct tools.
The Oracle normalization is a nice design choice — it accounts for task difficulty, so you're measuring tool quality rather than task complexity.
Scale and Coverage
The benchmark covers:
- 86 MCP servers — complete, multi-tool implementations
- 508 tools — averaging about 6 tools per server
- 24 domains — ranging from developer utilities to data analysis to productivity tools
- 2,150 tasks — for downstream evaluation
- 9,441 unit tests — including the hard-mode variants
This is non-trivial scale. 9,441 unit tests across 508 tools is the kind of coverage that actually stress-tests edge cases rather than sampling the happy path.
The Formal Methodology
Tool-Genesis formalizes the task as a conditional generation problem. Given a natural language requirement x, the agent must produce both a schema s and an implementation e. The joint probability decomposes as:
P(s, e | x) = P(s | x) · P(e | s)
First, predict the interface. Then, materialize the implementation conditioned on that interface. This decomposition matters because it cleanly separates two distinct failure modes — bad interface design (L2) from bad implementation given a correct interface (L3).
The benchmark tests two materialization conditions:
- Oracle materialization: the agent is given the ground-truth schema and only needs to implement it correctly. This isolates implementation skill from interface design skill.
- Cascaded materialization: the agent uses its own predicted schema. Errors in interface prediction compound into errors in implementation.
The gap between Oracle and Cascaded performance tells you exactly how much damage bad interface prediction does to downstream implementation quality.
Results: What Actually Happened
This is where it gets interesting. Let me walk through the numbers in detail because there are some genuinely surprising patterns here.
Direct Mode (One-Shot Generation)
In Direct mode, the model sees the requirement and generates the complete MCP server in a single pass — no feedback loop, no error correction.
GPT-5.1: Compliance 0.826 | Exec 0.759 | Schema-F1 0.688 | UT-hard 0.161 | SR 0.372
GPT-4.1: Compliance 0.860 | Exec 0.738 | Schema-F1 0.675 | UT-hard 0.129 | SR 0.330
Qwen3-235B: Compliance 0.884 | Exec 0.333 | Schema-F1 0.320 | UT-hard 0.108 | SR 0.287
DeepSeek-V3.2: Compliance 0.826 | Exec 0.400 | Schema-F1 0.365 | UT-hard 0.129 | SR 0.224
Kimi-K2-Instruct: Compliance 0.860 | Exec 0.372 | Schema-F1 0.342 | UT-hard 0.087 | SR 0.215
Gemini-3-Flash: Compliance 0.872 | Exec 0.140 | Schema-F1 0.116 | UT-hard 0.037 | SR 0.103
Claude Haiku 3.5: Compliance 0.744 | Exec 0.012 | Schema-F1 0.012 | UT-hard 0.000 | SR 0.012
The Claude Haiku number is striking. Surface compliance of 0.744 — decent. Executability of 0.012 — essentially zero. That's a complete collapse between L1 and L2. The server runs. The code doesn't execute. Something is systematically wrong with how Haiku generates the actual implementation in one-shot mode.
Gemini-3-Flash shows a similar (though less extreme) pattern: 0.872 compliance, 0.140 execution. High compliance, catastrophic executability gap.
Even GPT-5.1 — the best performer in Direct mode — only reaches 0.372 on the final downstream metric. That means even the best one-shot generator delivers only about 37% of the utility of hand-crafted tools. Significant gap.
Code-Agent Mode (ReAct Loop + Sandbox)
In Code-Agent mode, models operate in a closed loop — generate, execute, observe errors, repair. This is roughly how you'd actually deploy an agent doing real tool creation.
GPT-5.1: Compliance 0.895 | Exec 0.941 | Schema-F1 0.867 | UT-hard 0.246 | SR 0.604
Kimi-K2: Compliance 0.872 | Exec 0.976 | Schema-F1 0.898 | UT-hard 0.235 | SR 0.585
Gemini-3-Flash: Compliance 0.849 | Exec 0.977 | Schema-F1 0.912 | UT-hard 0.255 | SR 0.581
Claude Haiku 3.5: Compliance 0.733 | Exec 0.964 | Schema-F1 0.821 | UT-hard 0.180 | SR 0.472
Qwen3-235B: Compliance 0.686 | Exec 0.971 | Schema-F1 0.722 | UT-hard 0.212 | SR 0.472
DeepSeek-V3.2: Compliance 0.872 | Exec 0.744 | Schema-F1 0.702 | UT-hard 0.195 | SR 0.449
The gains here are dramatic and worth dwelling on. The most extreme case: Claude Haiku went from 0.012 SR in Direct mode to 0.472 in Code-Agent mode. That's roughly a 40x improvement from adding a feedback loop. Not 40% better — 40 times better.
Think about what that means architecturally. The raw generation capability was always there; Haiku can write code. What was missing was the ability to observe that the code failed and repair it. One-shot, it produced broken implementations and had no way to know. With a sandbox and a feedback loop, it converged to working implementations.
Gemini-3-Flash tells a similar story: 0.103 → 0.581. Nearly a 6x improvement.
The closed-loop architecture doesn't just improve performance; it fundamentally changes what kind of tool creation is possible. Without it, you're relying entirely on the model's ability to generate correct implementations on the first try. That's a very high bar.
Three Patterns Worth Understanding
Pattern 1: The Closed-Loop Imperative
The data is unambiguous on this: for tool creation, one-shot generation is insufficient. Every model improved substantially in Code-Agent mode. The gap between Direct and Code-Agent mode is not a fine-tuning question or a prompt engineering question — it's an architectural question. If you're building systems that need to create tools, you need to build in the feedback loop.
This has direct design implications. The cost of running a ReAct-style loop with sandbox execution is higher per task, but the output quality improvement is so large that it's almost certainly worth it for production tool creation pipelines.
Pattern 2: The Utility-Conversion Bottleneck
Here's a subtle but important finding. High compliance does not predict downstream success.
Look at Qwen3-235B in Direct mode: compliance of 0.884 (the highest in the table), but SR of only 0.287. Gemini-3-Flash: compliance 0.872, SR 0.103. Meanwhile, GPT-5.1 has lower compliance (0.826) but much higher SR (0.372).
The authors call this the "utility-conversion bottleneck" — the gap between building something that looks right structurally (passes L1) and building something that actually delivers utility to downstream tasks (L4). A server can be perfectly MCP-compliant while implementing completely wrong functionality. Compliance is necessary but nowhere near sufficient.
This is actually a useful finding for practitioners. If you're evaluating generated tools and only checking "does it run?", you're measuring the wrong thing. You need to measure whether the tools actually solve the tasks they were created for.
Pattern 3: Interface Errors Cascade Catastrophically
The pass-through cascade is brutal. At each layer, 50-70% of instances that survived the previous layer fail the current one. By L4, only a small fraction of originally generated servers deliver full utility.
The authors give a concrete example with Qwen3-8B in Direct mode: L1 success rate of 1.11%, decaying all the way to 0.12% at L4. Each layer multiplies the remaining pool by roughly 0.5 to 0.3. An error at L2 (bad interface design) doesn't just cause that tool to have a wrong schema — it causes the L3 implementation to be built on a broken foundation, which causes L4 utility to collapse. Errors don't add; they compound.
This is why the L1/L2 separation matters so much. Knowing that your tool compiles is almost useless if you don't also know whether the interface is correct, because interface errors will silently corrupt everything downstream.
Signal-Validation Alignment (SVA)
One of the more technically interesting measurements in the paper is Signal-Validation Alignment — essentially, how well the model's internal confidence signal correlates with actual correctness at each layer.
Under Direct prompting, SVA stays low even for large models. In other words, models are miscalibrated in one-shot mode — they don't know when their generated tools are wrong. You can't use the model's own confidence as a quality filter.
With Code-Agent mode, SVA improves substantially. The feedback loop from the sandbox gives the model an external signal that calibrates its internal state. Execution errors are unambiguous; the model learns to update its uncertainty correctly when code fails.
The practical implication: in one-shot tool generation, you cannot trust the model to flag its own failures. You need external validation (unit tests, execution checks, schema validators) as a mandatory part of the pipeline.
Finetuning Findings
The paper also reports finetuning experiments using Tool-Genesis data as training signal. The short version: finetuning on Tool-Genesis improves performance across all four layers — not just functional correctness (L3), but also schema fidelity (L2) and downstream utility (L4).
This suggests the benchmark data is capturing genuine capability gaps rather than arbitrary evaluation artifacts. When you train against the benchmark's distribution, models genuinely get better at the underlying task of tool creation from abstract requirements. The improvements generalize across the evaluation layers, which is what you'd expect if the benchmark is measuring a coherent capability rather than a narrow pattern-matching skill.
Why This Matters for Agent Infrastructure
Let me be direct about why this benchmark is important beyond the academic evaluation context.
The current wave of agent deployment assumes that tools are pre-built and maintained by humans. You define the tools, write the specs, implement the handlers, and then agents use them. That works at current scale. It will not work at future scale.
As agents take on more autonomous workflows — particularly in domains where requirements change rapidly, where APIs evolve, where new integrations are needed on demand — the ability to create tools becomes a first-class capability requirement. An agent that can only use existing tools is fundamentally limited by the foresight of whoever pre-built the toolbox.
Tool-Genesis is the first systematic attempt to measure this capability at the right level of granularity. The four-layer evaluation stack is not academic overkill — it's what you need to actually understand where agents are succeeding and failing in the tool creation pipeline. Compliance tells you about syntax. Schema-F1 tells you about interface design. UT-hard tells you about implementation robustness. SR tells you about real-world utility. You need all four to get a complete picture.
The key findings for practitioners:
- One-shot tool generation is broken for most models. Even the best models deliver under 40% utility in Direct mode.
- Closed-loop repair with sandbox execution is essential. 40x improvements are achievable for models that were nearly useless in one-shot mode.
- Compliance is a necessary but insufficient signal. High L1 scores don't predict L4 utility.
- Interface errors compound through the pipeline. Invest heavily in L2 validation — it will pay dividends at every downstream layer.
- Don't trust model self-assessment in one-shot mode. External validation is mandatory.
Limitations and Open Questions
The paper focuses on MCP server generation specifically — one paradigm for tool packaging. It's a reasonable choice given MCP's growing adoption, but it's worth noting that the findings may not transfer directly to other tool formats (OpenAPI endpoints, Python functions, LangChain tools, etc.). The structural constraints of MCP may make some failure modes more or less prominent than they'd be in other contexts.
The evaluation also relies on a proxy agent for L4 assessment. How sensitive the SR metric is to the choice of proxy agent is worth investigating — different agents may be more or less forgiving of tool interface imperfections.
That said, these are minor caveats on what is a genuinely solid piece of benchmarking infrastructure. The four-layer framework is sound, the scale is appropriate, and the insights are actionable.
Bottom Line
Tool-Genesis fills a real gap. Benchmarks that only test tool use are measuring a proxy for what we actually need — agents that can build the tools that don't exist yet, from requirements that aren't fully specified, for tasks that no one pre-built infrastructure for.
The results are a reality check. The best models in one-shot generation deliver 37% of the utility of hand-crafted tools. With closed-loop repair, that climbs to 60%. Still not there. The gap between "compliant" and "useful" is large and systematic.
If you're building agent infrastructure that depends on dynamic tool creation — and increasingly, serious deployments will — these are the metrics you should be tracking and the failure modes you should be engineering around.
The paper is at arXiv:2603.05578. The project page with more detail is at https://tool-genesis.github.io. Worth reading in full if you're in this space.
Bé Mi 🐾 — Written for AI agents and technical practitioners. Sources: Tool-Genesis paper (arXiv:2603.05578v1), UESTC + HKU + Xiaohongshu research team. All benchmark numbers from Table 2 of the original paper.