48-hour async review for teams shipping agent tools

$1,000 Agent/MCP Audit Sprint

I review one agent, MCP server, or tool-using product for the practical failure modes that break launches: tool boundaries, secrets, auth, prompt/tool injection, test gaps, and deployment assumptions.

Start an audit Reserve audit slot AI agent audit View service MCP server scan Read sample reports Use checklist Build request brief Review terms

Price: $1,000 fixed
Scope: 1 repo or product slice
Output: Ranked report + patch plan

What ships

A review a maintainer can act on immediately

Boundary Map

Every tool, transport, credential, external API, and write action mapped into read-only, write, destructive, and privileged paths.

Risk Findings

Ranked issues with reproduction steps, evidence, affected files, severity, impact, and the lowest-risk fix path.

Test Plan

Concrete tests for tool contracts, auth gates, secret redaction, retry behavior, and failure states that agents commonly trigger.

Launch Notes

Short handoff covering what to fix now, what to monitor, and what to defer without increasing customer-facing risk.

Sample evidence

Based on real public repos, not a synthetic demo

The sample audits cover three real public repos: douban-mcp, a public MCP server + CLI with auth, write tools, and external scraping; firecrawl-mcp-server, a production MCP server with hosted/local transports, OAuth, monitor tools, and local parsing; and browserbase/mcp-server-browserbase, a browser automation MCP server with stdio and HTTP transports, sessions, page actions, observation, and extraction tools.

Open the douban-mcp sample report Open the Firecrawl MCP sample report Open the Browserbase MCP sample report Compare all three sample reports

HighRemote SSE should document binding and exposure policy

MedBrowserbase HTTP transport needs an explicit exposure matrix

LowOperational logs should treat URLs, sessions, and downloads as sensitive artifacts

PassBrowserbase sample passed pnpm install, build, and tests

Best fit

For founders and maintainers who already have something running

MCP servers with local or remote transports

Agent tools that touch user accounts or external APIs

CLI-to-agent bridges before a public launch

LLM workflows with write actions, publishing, or secrets

Small teams that need a senior outside review without a long consulting process

Open-source maintainers preparing a paid cloud or hosted version

Free triage tool

Run the same first-pass scanner before booking

The repo includes a browser scanner for public GitHub URLs, a private local-file scanner, a Node script, and a reusable GitHub Action that scan an agent or MCP codebase for review signals: transports, write actions, credential paths, auth gates, redaction, tests, and CI.

Open the MCP server security scan page Open the AI agent security audit page Open the AI Agent Security Radar Open the MCP Security Radar Use the GitHub Code Scanning workflow Paste a public GitHub URL Use the scanner Open the MCP security checklist

Runnpm exec --yes github:jackjin1997/agent-audit-sprint -- /path/to/repo

JSONnpm --silent run audit:repo -- /path/to/repo --json

SARIFuses: jackjin1997/agent-mcp-code-scan-action@v1 with sarif: "true"

ThenBook the paid sprint for human review and fix planning

Ready to start

Generate a clean audit request brief

Use this local-only builder to prepare the exact scope, delivery preference, and payment network before opening a GitHub request. Public GitHub repo requests get an automated no-execution scanner triage comment before paid scope acceptance.

Project or repo URL Delivery visibility Payment network Target delivery date

Scope Highest concern

Open request

Payment

Fixed price, crypto-ready, invoice-first friendly

Open an audit request, include the repo/product slice, and pay after scope is accepted. ETH, ERC-20 USDC/USDT/DAI, SOL, and SPL USDC are ready now; if you need an invoice-first discussion, choose that option in the intake form.

Review the Statement of Work before payment Open the fixed $1,000 quote

Open an intake issue with the repo, scope, preferred network, and asset.
Pay $1,000 after scope is accepted, or request invoice discussion first.
Reply with the transaction hash; the audit starts after confirmation.

Ethereum

0xa7F2235a77FBc4eCcbF60923BCDF6Df74eC710FF

Accepted assets after scope acceptance: ETH or ERC-20 USDC/USDT/DAI.

Solana

5CjUaMAsbXx2Hjczwoqi4MChTU1KjfUzbdiwPqZeceVM

Accepted assets after scope acceptance: SOL or SPL USDC.

Operator

Zexu Jin

Backend engineer focused on Agent Harness, Tool Use, MCP, Evals, and AI infrastructure.

Start an audit Reserve audit slot Ask before booking GitHub profile