Agent Safety Lab by StevenB

Agent Safety Lab by StevenB

Launch-readiness audits for AI-built systems

We review public repos for practical safety, reliability, and documentation issues before launch, with a focus on AI-built apps, agent workflows, and MCP servers.

Independent project by StevenB. FreeCodex is the public workshop; GitHub proof identity is bmtriet.

Request a fit check Star / fork the repo
24-48h typical turnaround
No credentials public repo only
Open source star, fork, or run locally

Why this now

The failure pattern is getting clearer: fast demos, weak trust boundaries.

Recent public builder threads keep naming the same practical blockers: Supabase/RLS confusion, IDOR/BOLA mistakes, leaked keys, webhook validation gaps, and MCP tool permissions that were never reviewed as a launch surface.

Vibe-coded app review patterns Payment intent discussion MCP security projects MCP signing discussion

Proof of work

Merged open-source contributions, not slideware.

StevenB contributes practical security and readiness fixes through normal open-source review. These public PRs show the work pattern without implying affiliation, endorsement, certification, or paid customer status.

Dify

Added a SECURITY.md disclosure path to a large public AI-agent repository.

Merged PR #36873

Whisper

Updated session WebCrypto key handling so operational keys are non-extractable.

Merged PR #9

Hera

Delivered a small public safety/readiness fix for an event web project.

Merged PR #75

What gets checked

Catch boring launch mistakes before they become expensive.

Secrets and env handling

Obvious leaked-secret patterns, risky env examples, and client-side secret names.

Tenant isolation

Public code paths that suggest missing ownership checks, broad policies, or IDOR risk.

Public readiness

README, license, security policy, gitignore, CI, dependency metadata, and examples.

Agent workflow risk

Agent instructions, MCP configs, skill files, and workflows that pass untrusted text into agents.

Webhook and browser risk

Signature prompts, wildcard CORS, static CSP gaps, and launch-facing browser defaults.

Use it yourself

Run the lightweight audit locally, then star the repo if it saved time.

FreeCodex is public by design. Builders can run the deterministic checks before asking for a paid report, and the repo stays useful even when a buyer is not ready yet. 

git clone https://github.com/bmtriet/FreeCodex.git
cd FreeCodex
python3 scripts/validate_repo.py
python3 scripts/repo_audit.py audit --path . \
  --output local-audit.md
Open the GitHub repo

Before you request

Use the public resources first, then open a fit check when the repo is ready.

Not ready to request? Run the audit locally, read the launch checklist, or view a sample report first. No credentials or account access are needed.

Launch checklist Public-repo safety basics for AI-built apps and agent workflows. Run locally Clone the repo and run the deterministic audit scripts yourself. Sample report See the markdown deliverable format before requesting a review. Fit check Share a public repo URL and launch context when you want a review.

Deliverable

One concise markdown report with a prioritized fix list.

HighPossible frontend secret exposure
MediumStatic header config missing obvious CSP
LowSecurity policy missing reporting path
Evidence is redacted. Uncertain items are labeled for manual review.

Simple pricing

Start with the report. Scope fixes only after facts are clear.

Fit check

Free

Quick scope check for a public repo. No full report, credentials, or pressure.

Starter report

USD 49

One small public repo, deterministic checks, concise notes, and top launch risks.

Standard audit

USD 149

Manual launch-readiness review, prioritized report, and concrete fix plan.

Report + one fix PR

USD 299+

Standard audit plus one bounded public PR, only after fit and scope confirmation.

Payment destination after scope confirmation: ko-fi.com/freecodex.

Request

Send a public repo URL and launch context.

Do not send secrets, passwords, tokens, cookies, private keys, or account access. Listed prices are for public repos. Private repos need explicit permission and separate scope discussion.

Open fit-check issue Sample report

The booking path is a public GitHub issue form. First contact stays public-safe, and payment happens only after a positive reply, scope confirmation, and consent to proceed.

Boundary

This is a lightweight launch/readiness audit. It is not a certified penetration test, legal advice, compliance guarantee, or proof that a repository is secure.