We’ve shipped 11 kits.Here’s exactly what happened.
Two sites named with operator consent. Nine more shown as anonymized public-site demonstrations across Shopify, WordPress + WooCommerce, Next.js, and custom stacks. Same pipeline, real before/after scores, real generation times. No marketing fluff.
11
Kits shipped
17/100
Avg score before
72/100
Avg score after
+55
Avg lift
Named with operator consent
The operator gave explicit permission to publish their domain alongside the kit results.
WordPress + WooCommerce
- Actions discovered
- 14
- API shortcuts
- 11
Largest api_shortcuts count in the manifest. The kit caught both _wpnonce and _wp_http_referer in the login form, which means an agent re-reading the form gets the live values — generic agents.json generators that hard-code these tokens at build time will fail.
Founder-operated, full disclosure
Shopify (custom theme)
score
30 → 70
- Actions discovered
- 15
- API shortcuts
- 4
Critique pass added 2 new actions on top of the initial draft. Verify pass dropped 15 of 33 URLs as speculative — a generic LLM-only generator would have shipped those dead links.
Operator consent confirmed before publishing
Anonymized public-site demonstrations
We ran the pipeline on these public sites to stress-test the kit generator. Domains are omitted because the operators did not commission the work — but the scores, timings, and critique-pass results are real numbers from the manifest.
Major Swedish news outlet
Custom — no platform pack matched
No sitemap available; pipeline fell back to homepage-link discovery (8 pages). Clean verify pass — zero URL drops. Demonstrates the verify-sweep does not over-flag on well-maintained sites.
Cloudflare-defended global marketplace
Custom — bot-defended
Pipeline scraped only the homepage (rest was rate-limited). Critique pass added 7 new actions purely from analyzing the single-page corpus — the largest single-page-to-actions ratio in the manifest. Verify caught zero failures.
Shopify storefront with full pack match
Shopify (1.0 confidence)
First fully-matched Shopify platform pack in the manifest. 16 api_shortcuts drafted from the pack, 6 survived verify against the live storefront. The dropped ones were endpoint patterns the pack assumed but this storefront's theme had renamed.
Next.js-built ecom brand
Next.js + Shopify backend
Detected as Next.js (0.8 confidence) with ecom=shopify — two-platform recognition. 11 api_shortcuts drafted, 3 survived verify. Verify aggressively pruned 17 of the speculative endpoints.
Custom dev-niche site
Custom — no platform pack
Largest action count of the 11 (deep site, lots of named pages). Healthy sitemap so the multi-page crawl had 8 strong sources. Critique pass found no additional actions — the initial mapping caught everything.
Independent security review
Freddie Jansson, a senior engineer (unaffiliated, no compensation), reviewed a kit generated for a client site of his in May 2026. His verbatim findings:
The content looks clean. No scripts, no
<script>injection, no obfuscated strings, no base64 blocks. All URLs point to the operator’s own domains or LinkedIn — no strange third-party callbacks.The README contains only
curl/jqcommands for verification against the operator’s own URL — noeval, no| sh, no script downloads.agents.jsonis clean data — no API keys, no exfiltration.agent-instructions.mdis a runbook for visiting AI agents — no prompt-injection patterns aimed at me.The tool (BridgeToAgent) is new to me, but the kit is static files that the operator self-hosts — there’s no runtime dependency on BridgeToAgent’s service after you publish.
Verdict: safe to implement.
See your before-score in 5 seconds
The 11 sites above started at an average of 17/100. Free 5-second audit shows where your site sits today. $49 once if you decide to ship the kit.