GitHub

Fix your website with an AI agent

Connect your coding agent to squirrelscan over MCP, audit your live site, and loop through the fixes until the issues close

This is the workflow squirrelscan was built for: your coding agent audits your live site, reads the report, fixes what it can in the repo, you deploy, and it re-audits until the score climbs and the issues close on their own.

We ran exactly this loop against one of our own sites. Across four audits and three rounds of fixes the site went from a health score of 79 to 84, grade C to B, and from 96 findings down to 71. Six tracker issues closed themselves once the fix landed and the rule stopped firing. This guide walks you through the same loop.

What you need

  • A coding agent that speaks MCP: Claude Code, Codex CLI, Cursor, opencode, or any other MCP client.
  • A squirrelscan account. Cloud audits are pay-as-you-go and free accounts get 500 credits a month, so you can run this loop today without a card. See Credits.
  • The repository for the site you want to fix, checked out locally.

Step 1: Connect the hosted MCP and install the skills

Point your agent at the hosted MCP server. There is nothing to install and no local process to keep running:

https://mcp.squirrelscan.com/mcp

The server gives your agent 14 tools for running cloud audits, reading reports, working the per-website issue tracker, and browsing the rule catalog. The Hosted MCP server guide covers the full tool list, OAuth versus API-key auth, and how credits work. For the exact config for each client, see MCP client setup.

Then install the squirrelscan skills so your agent knows the audit workflow without you spelling it out each time:

bash
squirrel skills install

This adds the audit-website skill (it runs npx skills add under the hood). See squirrel skills and the AI agent integration guide for what the skill does.

Step 2: Start your agent from the project folder

Change into the repository for the site you are fixing and start your agent there. This matters: when the agent is inside the repo, it can read your source, make the edits, and open the files that produce the pages the audit flags.

bash
cd ~/code/my-website

Each client connects to the same hosted endpoint. Here is the one-step connect for the common ones. Full per-client detail, including API-key auth for CI, lives in MCP client setup.

bash
claude mcp add --transport http squirrelscan https://mcp.squirrelscan.com/mcp

Start claude in the project, run /mcp, select squirrelscan, and choose Authenticate. Your browser opens for sign-in and organization selection.

bash
codex mcp add squirrelscan --url https://mcp.squirrelscan.com/mcp
codex mcp login squirrelscan

codex mcp login runs the browser sign-in and stores the token encrypted.

Add a remote server entry to .cursor/mcp.json in the project:

json
{
  "mcpServers": {
    "squirrelscan": {
      "url": "https://mcp.squirrelscan.com/mcp"
    }
  }
}

Open Settings, find squirrelscan, and click Needs login to run the browser flow.

Add a remote MCP server to opencode.json in the project:

json
{
  "$schema": "https://opencode.ai/config.json",
  "mcp": {
    "squirrelscan": {
      "type": "remote",
      "url": "https://mcp.squirrelscan.com/mcp",
      "enabled": true
    }
  }
}

opencode runs the OAuth flow on first connect. See MCP client setup for the other clients.

Before the first audit, have the agent confirm who it is acting for. A quick prompt like “run whoami” makes it call the whoami tool, which reports your organization and current credit balance. If the balance and org look right, you are ready.

Step 3: Run the loop

The loop is: audit, read, fix, deploy, re-audit. Here is what the agent does on the first pass, tool by tool:

  1. Kick off the audit

    You prompt the agent to audit your site. It calls run_audit with the URL. The first call comes back with status: "confirmation_required", a credit estimate (an upper bound), and your balance. The agent shows you the estimate.

  2. Confirm the spend

    You approve, and the agent calls run_audit again with confirm: true. The audit starts and returns a run_id. A cloud fast audit takes about two minutes and covers roughly ten pages. Small audits (an estimate at or under 50 credits) skip the confirmation and start right away.

  3. Wait for results

    The agent polls get_audit_status with the run_id until the run completes, then pulls the report with get_report. Start with the summary format for scores and top issues; llm or markdown gives the full detail.

  4. Work the issue tracker

    The agent calls list_issues for the website to see every open finding, then get_issue for the detail and fix guidance on the ones worth tackling. It implements the fixes in your repo.

  5. Deploy, then re-audit

    You deploy the changes. The agent runs run_audit again. Because cloud audits hit your live site, the re-audit only reflects fixes that are actually deployed. Issues resolve when their rule stops firing.

How issues close

Issues live in a per-website tracker, and they close by themselves. When you re-audit and a rule no longer fires on any page, the issues it raised move to resolved: you do not tick anything off by hand. In our run, six issues auto-closed across the fix rounds.

Partial fixes are visible too. Each issue carries an occurrence count, the number of pages or items still tripping the rule, and that count decays as you fix pages. One issue in our run went from 8 occurrences to 7 to 1, then resolved once the last page was fixed. A dropping count with the issue still open means you are on the right track and not yet done.

Some findings need a human call

Not every finding should be fixed. A structured-data rule might ask a local business for a physical street address, but a service-area business that visits customers should not invent a storefront address just to satisfy a rule. The right move is to decide, then record the decision so your team and the next audit have the context. Ask the agent to call comment_on_issue with the reasoning, for example: “this is a service-area business with no public storefront, so we are intentionally not adding a PostalAddress.” The comment shows up in the dashboard thread against that issue.

Sample prompts that worked

Plain-English prompts are enough. Adapt these freely:

  • “Audit this site with squirrelscan and summarize the top issues worth fixing.”
  • “Work through the open squirrelscan issues one by one. Fix what you can in this repo and comment on each issue with what you changed.”
  • “We just deployed. Re-run the squirrelscan audit and tell me which issues closed and what the new score is.”
  • “Audit staging.example.com, but stop if it would cost more than 200 credits.”
  • “For each issue you can’t fix in code, comment on it explaining why and what a human needs to decide.”

A full loop reads like a short conversation: audit, review the summary together, let the agent fix a batch, deploy, and re-audit to watch the score move and the issues close.

Type to search…

↑↓ navigate open esc close