Red Team Report -- Round 2
Second audit after Blue Team fixes. Original 35 findings + 35 new findings across all new features. Audit date: March 19, 2026.
Total Findings
70
R1: 35 + R2: 35
Critical
3
High
18
Medium
29
Low
20
Fixed
16/70
23% resolved
Blue Team Fix Verification
Blue Team claimed 16 of 35 fixes. All 16 verified fixes confirmed working. RT-010 (blog pages) was ACKNOWLEDGED by Blue Team but actually fixed -- credit given.
RT-001: Auth forms only console.log credentials
Confirmed: no console.log found in auth files. Fix is valid.
RT-002: Google and GitHub OAuth buttons do nothing
Fix is a band-aid (toast instead of real OAuth) but acceptable for now.
RT-003: Landing page 'Extract' button does nothing
Functional as described.
RT-004: Enterprise 'Contact Sales' button is a dead end
Valid fix. mailto is functional.
RT-005: 13 footer links go to href='#'
Most links fixed. Privacy/Terms still dead but acknowledged.
RT-006: Dashboard action buttons are non-functional
Confirmed functional.
RT-007: Flow builder buttons are non-functional
Confirmed in flows/[id] page. Note: the NEW workflow-builder page (RT-038) has the same bugs.
RT-008: 'Forgot password?' links to itself
Functional.
RT-010: Blog article links go to non-existent pages
Actually FIXED: app/blog/[slug]/page.tsx now exists with 3 full blog posts. Blue Team undersold this fix.
RT-012: Settings page buttons do nothing
Confirmed functional.
RT-013: Settings billing buttons are dead
Confirmed functional.
RT-014: Monitoring 'Configure Alerts' button is dead
Confirmed functional.
RT-022: CTA hover:bg-blue-50 breaks dark mode
Confirmed.
RT-023: No mobile navigation menu
Fixed on landing page only. Blog post pages (RT-069) and extension page (RT-070) still lack mobile nav.
RT-024: Social icon buttons lack accessible labels
Confirmed.
RT-026: Sign out button does nothing
Confirmed in app-sidebar.tsx line 177.
Round 2 Findings (35)
New issues discovered in new features: 1 critical, 8 high. The product has grown massively but almost every new page has dead buttons, fake data, or broken navigation.
The revamped playground page always shows the same preloadedFlow messages and the same mockOutputData (24 hardcoded products) no matter what URL the user types. Every follow-up message returns the same canned 'Got it. I can refine...' response. The 'AI' is still entirely fake. This was noted in RT-029 but the new page makes the deception even more convincing, which is worse.
The JSON output <pre> tag uses bg-zinc-950 and text-zinc-300 without dark: variants. The schema tab does the same. In light mode the code blocks look jarring -- dark rectangles against a white page. While this is a deliberate 'code editor' aesthetic, it should still use theme-aware backgrounds.
The workflow builder toolbar has Save, Run, and Share buttons that are purely decorative -- no onClick, no toast, no state change. This is the same class of bug as the original RT-007 but in a brand-new page. The 'Test This Step' button inside the NodeConfigPanel also does nothing.
The Undo and Redo buttons in the workflow builder toolbar have no onClick handlers. There is no undo/redo state management. They are purely visual.
Each node in the left palette has draggable attribute and cursor-grab styling, but there is no onDragStart, no onDrop on the canvas, and no ondragover handler. Dragging a node from the palette does not add it to the canvas. The only way nodes exist is from the hardcoded initialNodes array. Users have no way to add new nodes to the workflow.
Every FlowCard has a 'Use Flow' button with bg-blue-600 styling that looks fully interactive but has no onClick handler. Users click it and nothing happens. The 'Install Flow' button in the preview dialog also has no onClick handler.
The header 'Publish Your Flow' button (line 450-453) has no onClick handler, no Link wrapper, no dialog trigger. It is completely dead.
The sort dropdown has 'Most Popular' and 'Most Runs' as separate options, but both use the identical sort logic: b.installs - a.installs. They produce identical results. This either means runs data is missing or the sort was copy-pasted without updating.
All marketplace flows have fabricated reviews from fake users (@datawhiz, @recruitbot, @realtyai, etc.) with suspiciously high ratings. Combined with the existing RT-018 (fake testimonials) problem, this compounds the credibility issue. Every interaction point in the product now has fake social proof.
The API Playground 'Send Request' button triggers setTimeout(800ms) and returns hardcoded getMockResponse() data. It does not make any actual HTTP request to the API. All response times, sizes, and headers are fabricated. Users might think they are testing a real API.
The body textarea and response pre blocks use bg-zinc-950, text-zinc-100, border-zinc-800 without theme-aware variants. These dark code blocks clash with light mode.
The syntaxHighlight function returns raw HTML strings injected via dangerouslySetInnerHTML. While the input is JSON.stringify output (so not user-controlled in practice), this is a bad pattern. If the API ever returns user-controlled data in responses, this becomes an XSS vector.
The analytics page dynamically imports RunsChart, DataChart, and CostChart from '@/components/dashboard/analytics/runs-chart', 'data-chart', and 'cost-chart'. These files DO NOT EXIST in the codebase. The dynamic import has a loading placeholder, so dev mode shows spinners, but the charts will never render. The page is fundamentally broken.
Analytics shows Total Runs: 4,287 and 7 top flows whose runs sum to 4,287 (248+412+1024+856+632+389+726). But the items extracted sum to 1,175,476 while the stat card says 1.2M -- close but sloppy. More importantly, these numbers don't match the dashboard page which shows different flow data. The Total Cost of $12.47 is absurdly low for 4,287 runs. The cost column sums to $19.89, not $12.47.
The date range Select (7d, 30d, 90d, Custom) updates state but has zero effect on the displayed data. All stats, charts, and tables show the same data regardless of selection. The 'Custom' option has no date picker UI.
In the webhook logs table, each row has a 'View' button that renders as a ghost Button with no onClick or href. Clicking it does nothing -- no detail panel, no modal, no navigation.
The webhook wizard in the integrations page has an anchor tag with href='#' for 'How to find your webhook URL'. It calls e.preventDefault() so it does nothing. Dead help link in a setup wizard is poor UX.
After completing the Slack, Discord, Google Sheets, or Email wizard and clicking 'Finish Setup', the toast says 'connected successfully' but the integration card still shows 'Not Connected'. The wizard calls onOpenChange(false) but never updates the integration status in state. The status is hardcoded in the const array and never mutated.
Every PostCard links to /community/{post.id} (e.g., /community/welcome, /community/paginated-ecommerce). There is no app/community/[id]/page.tsx or app/community/[slug]/page.tsx. All thread links result in 404 pages. The community page looks like a real forum but clicking any post leads nowhere.
The 'New Post' button links to /community/new which does not exist. Users who want to create content hit a 404. This makes the forum look abandoned.
The community sidebar 'API Reference' link points to /docs/api. The docs sidebar uses /docs/api-reference. The API Keys page uses /docs/api. These inconsistencies mean at least one route 404s. This is the same issue as RT-032 but now appearing in a third location.
The community page displays '2,847 members', '1,234 posts', '89 online now' -- all hardcoded fake numbers. Combined with fabricated post authors, reply counts, and view counts, this creates the illusion of an active community that doesn't exist.
Both 'Add to Chrome' buttons (hero and final CTA) are plain <Button> elements with no onClick, no href, no Link wrapper. There is no actual Chrome extension in the Chrome Web Store. The page claims 'Available on the Chrome Web Store' which is false. The 'Watch Demo' button also has no handler.
Inside the browser mockup screenshot, the 'Extract Data' button in the simulated extension popup has no onClick handler. This is a static visual, but it's styled as an interactive button.
The extension page has its own footer that duplicates the hardcoded bg-gray-950 / text-gray-300 / border-gray-800 pattern from the landing page footer (RT-020). New pages are copying the same theming bug.
The 'See It in Action' section has three placeholder boxes that literally say 'Screenshot placeholder' with a Monitor icon. This is developer placeholder content that was never replaced with actual screenshots or illustrations.
The run detail page has three action buttons (Stop Run, Re-run, Export Results) that are all purely decorative -- no onClick handlers on any of them. The live simulation looks impressive but users cannot actually interact with it.
The run detail page has a browser frame mockup using bg-gray-900, bg-gray-800, text-gray-400, bg-gray-950. This is the same pattern as the extension page and landing page -- hardcoded dark colors that ignore theming.
The live logs panel uses bg-zinc-950 with text-gray-500 / text-gray-200. In light mode this creates a jarring dark rectangle. Same pattern as RT-037 and RT-046.
The chat widget's handleSend function always returns defaultResponse: 'Thanks for your message! A team member will follow up shortly.' regardless of what the user types. There is no NLP, no keyword matching, no routing. Quick replies work but free-text is completely ignored.
Quick reply responses reference 'scraper.bot/contact' and 'scraper.bot/community' as valid URLs. The /contact page does not exist (same issue as RT-004). Community exists at /community but the chatbot formats it without a link.
The sidebar nav includes a 'Templates' item linking to /templates. There is no app/(dashboard)/templates/page.tsx. Clicking Templates in the sidebar gives a 404. This is a new nav item that was added without a corresponding page.
The sidebar user dropdown has a 'Billing' menu item that links to /settings (generic settings page). It should link to /settings?tab=billing or /settings#billing to land on the billing tab directly. Currently it dumps users on the profile tab.
The blog post detail pages use 'hidden md:flex' for the nav links (Features, Pricing, Docs, Blog, Sign In, Get Started). On mobile, only the logo is visible. Same bug as RT-023 but on the new blog post pages.
The extension page nav uses 'hidden md:flex' with no hamburger menu fallback. Same bug as RT-023 and RT-069. Every new standalone page is missing the mobile menu that was fixed on the landing page.
Round 1 Findings (35)
Both sign-in and sign-up forms call console.log() with user credentials on submit. There is no actual authentication, no API call, no redirect. A user who fills out the form and clicks 'Sign In' sees nothing happen. This is the single most damaging UX failure -- it makes the product look fake on first contact.
Both auth pages have 'Continue with Google' and 'Continue with GitHub' buttons with no onClick handler, no Link wrapper, no form action. They are purely decorative. Users who prefer OAuth (the majority of developer signups) hit a dead end immediately.
The hero 'See It In Action' section has an Extract button with no onClick handler. The input is readOnly. This is supposed to be the live demo that sells the product -- instead it's a static screenshot pretending to be interactive.
The Enterprise pricing card on the landing page has a 'Contact Sales' button with no onClick, no href, no Link wrapper. It renders as a plain <button> that does absolutely nothing. The pricing page's Enterprise CTA links to /contact which does not exist (404).
The landing page footer has links for API Reference, Changelog, About, Blog, Careers, Contact, Help Center, Status, Privacy Policy, Terms of Service, plus Twitter/GitHub/LinkedIn social icons -- ALL pointing to '#'. These pages exist at /blog, /status, /changelog but are not linked. Social links go nowhere.
Dashboard page has multiple buttons with no onClick handlers: 'Acknowledge' alert buttons (line 297-299), 'Run' buttons on active flows (line 397-399), pause/resume toggle buttons (line 401-405), and edit buttons (line 408-409). All are purely visual -- clicking them does nothing.
The flow detail page has dead buttons everywhere: 'Save' (line 259), 'Run Flow' (line 262), 'Schedule' (line 255), 'Save Settings' in settings tab (line 940-943), 'Load Preview' (line 406), 'Add Rule' for extraction (line 574-577), 'Run Now' in runs tab (line 605-608), and the 'Add Step' dropdown items (line 331-335). The Copy buttons on API code snippets also do nothing -- no clipboard API call.
The 'Forgot password?' link on the sign-in page points to /sign-in -- the same page the user is already on. This is a broken circular link.
The sign-up form requires users to agree to Terms of Service (/terms) and Privacy Policy (/privacy) before creating an account. Both links lead to 404 pages. Requiring agreement to non-existent documents is legally and ethically problematic.
All 3 blog article cards link to /blog/[slug] routes that don't exist. Clicking any article results in a 404. This makes the blog section look abandoned and damages credibility.
The 'Get notified about incidents' form has a Subscribe button with type='button' (not 'submit') and no onClick handler. Users who enter their email and click Subscribe get zero feedback.
The profile 'Save Changes' button, notification 'Save Preferences' button, 'Upload Avatar' button, and 'Invite Member' button all lack onClick handlers. Users can edit fields but can never persist changes.
The billing tab shows plan cards with 'Upgrade' and 'Contact Sales' buttons that have no onClick or href. Users looking to give you money literally cannot.
The 'Configure Alerts' button in the monitoring page header has no onClick or href.
The 'Last 7 Days' button in the runs page header is decorative -- no onClick, no date picker popover.
Each run row has an Eye (view) button and a RotateCcw (retry) button with no onClick handlers.
The hero trust badge says 'SOC 2 Compliant'. The FAQ also claims SOC 2 compliance and 'industry best practices'. If this is not actually SOC 2 certified, this is a material misrepresentation that could have legal consequences. Enterprise buyers will ask for the SOC 2 report.
Three testimonials cite 'Sarah Johnson, VP Engineering, DataStack', 'Mike Chen, CTO, MarketPulse', and 'Amanda Lee, Director, Asset Recovery LLC'. These are fabricated people at fabricated companies. Any user who Googles them will find nothing and immediately distrust the product. All have perfect 5-star ratings.
The landing page includes a <TrustedBy /> component. If this shows logos of companies that don't actually use the product, it's deceptive. Combined with fake testimonials and fake SOC 2, the credibility damage compounds.
The landing page footer uses bg-gray-950 with hardcoded text-gray-300, text-gray-400, text-gray-500, border-gray-800, and text-white. In dark mode this happens to look fine, but in light mode it creates a jarring dark section. More importantly, it doesn't use theme tokens, making it impossible to maintain consistent theming.
Admin layout nav uses bg-gray-950, border-gray-800, text-gray-400, bg-gray-800, text-white, hover:bg-gray-900. The ThemeToggle button uses text-gray-400 hover:text-white. In light mode, the admin nav remains a dark slab that clashes with the page content.
The final CTA section button uses hover:bg-blue-50 which is a near-white color. In dark mode, hovering the button flashes a bright white background that looks broken.
The landing page nav uses 'hidden md:flex' for navigation links. On mobile, only the logo is visible -- no hamburger menu, no way to navigate to Features, Pricing, Docs, Sign In, or Sign Up. The blog page has the same issue.
Twitter, GitHub, and LinkedIn icon links in the footer have no aria-label or screen reader text. They are invisible to assistive technology.
The dashboard header has a notification bell with a '3' badge count, but clicking it does nothing -- no dropdown, no link to /monitoring.
The sidebar user dropdown has a 'Sign out' menu item with no onClick handler. Users who want to sign out cannot.
The middleware skips API key validation if the request's referer or origin header contains the hostname. This means any request with a spoofed Referer header bypasses auth entirely. The key validation only checks the 'scr_' prefix -- there is no actual key lookup against a database.
Both handleGenerate() and handleTemplateSelect() hardcode router.push('/flows/flow-1'). No matter what URL or prompt the user enters, they always end up on the same pre-baked flow. The 'AI generation' is a setTimeout fake.
The playground chat always shows the same preloaded conversation and output regardless of the URL entered. The 'AI' is a sequence of delayed addMessage() calls with hardcoded strings. Follow-up messages always return the same generic response.
Multiple files hardcode new Date('2026-03-18T18:30:00Z') as 'now' for relative time calculations. This means all time displays are frozen. If someone visits the site on any other date, all times will be wrong ('2d ago' when it should be months ago).
The docs layout sidebar has links to /docs/quickstart, /docs/concepts, /docs/api-reference, /docs/guides, /docs/templates. If these pages don't exist, users navigating the docs see 404s.
The API Keys page has a 'View API Docs' button linking to /docs/api. The docs sidebar uses /docs/api-reference. These are different routes -- at least one is wrong.
The runs page renders expandable table rows using bare <> fragments. React requires keys on all sibling elements. The key is on the TableRow but the fragment wrapper doesn't have one, which can cause rendering issues.
The standalone /pricing page (PricingContent) has no navigation header at all -- no logo, no links, no way to get back to the home page or sign up. Users who arrive from a direct link are stranded.
The settings billing tab shows plans: Free $0, Starter $19, Professional $49, Enterprise Custom. The pricing page shows: Free $0, Pro $29, Enterprise Custom. Different plan names and prices across the product erode trust.
Competitive Gap Analysis
- Browserless execution -- 10-100x faster than headless browser. HTTP-level extraction means sub-second responses, not 5-15 second Puppeteer runs.
- Deterministic APIs -- Every parser becomes a versioned, typed, cacheable REST endpoint. Not just data extraction -- an API product.
- MCP integration -- Parsers work as Model Context Protocol servers, enabling AI agents to use web data natively.
- Hosted endpoints -- Real, live API endpoints you can curl right now. Not a demo, not a screenshot.
- Real browser infrastructure -- Actual headless browser fleet with fingerprint rotation, residential proxies, and anti-detection.
- Agent orchestration -- AI agents that can reason, plan multi-step workflows, and recover from failures autonomously.
- Digital personas -- Browser sessions that maintain persistent identity, cookies, and history across runs.
- CAPTCHA solving -- Built-in CAPTCHA bypass, not just claimed in marketing copy.
- Serverless edge compute -- Runs execute at the edge with zero cold start. Real infrastructure, not setTimeout().
- No real scraping engine -- The entire product is mock data and setTimeout() calls. Nothing actually scrapes anything.
- No real authentication -- Auth forms redirect to dashboard but there are no sessions, no JWT, no user state.
- No real database -- All state is mock-data.ts constants. Refreshing the page resets everything.
- No real AI -- The "AI generation" is a hardcoded timeout. The playground chat is a script. The workflow builder is a static canvas.
- Feature sprawl without depth -- 13+ new pages added (marketplace, analytics, workflow builder, community, extension, etc.) but none of them actually work. Breadth without depth is worse than a small product that works.
The Blue Team fixed 16 of 35 Round 1 findings (46% -- slightly better than their claimed 40%). All verified fixes are real. However, the product has expanded from ~15 pages to ~28 pages, and almost every new page introduces the same category of bugs that were found in Round 1.
The pattern: A new feature gets built with polished UI, hardcoded mock data, and buttons that look interactive but have no onClick handlers. The workflow builder looks like a professional node editor but you cannot add nodes from the palette. The marketplace looks like a real app store but "Use Flow" does nothing. The analytics page imports chart components that do not exist in the codebase.
The core problem remains unchanged: This is a demo site, not a product. Every new feature makes it look more real, which makes the disappointment worse when a user tries to actually use it. The community page fabricates 2,847 members. The marketplace fabricates reviews. The extension page advertises a Chrome extension that does not exist. The attack surface for credibility damage has tripled since Round 1.
Bottom line:
54 of 70 total findings remain unfixed (77%). 1 new critical and 8 new high-severity issues were introduced by the new features. The product is growing faster than it is being fixed.