Skip to content

Website & Paraguay-Taxes Repo Review

Date: 2026-02-11
Reviewer: Friday (AI Agent)

Part 1: agentmaker-website & agentmakerio-web

What Are These?

They are essentially the same site — a simple landing page for agentmaker.io. Both repos have identical package.json, App.tsx, components, CSS, and SVGs. The source code is a copy.

Aspect agentmaker-website agentmakerio-web
Framework React 18 + Vite + Tailwind CSS + TypeScript Same
Hosting Cloud Run (via Cloud Build + Docker) Firebase Hosting
Firebase project agentmaker-io agentmakerio-web
Backend Separate Cloud Function (contact-form/main.py) via Mailgun Firebase Function (functions/main.py) via Firestore + Pub/Sub
Extra files cloudbuild.yaml, Dockerfile, .env.example .firebaserc, firestore.rules, package-lock.json

Key difference: agentmaker-website appears to be the active/production version (deployed to Cloud Run with a proper contact-form Cloud Function that sends email via Mailgun). agentmakerio-web is an older Firebase-hosted version with a different backend approach (Firestore + Pub/Sub) and has node_modules accidentally committed inside public/.

Recommendation: Consolidate into one repo. Archive agentmakerio-web.

Content Review

The site is extremely minimal — just two sections:

  1. Industry Experience — A heading, one line of copy ("Collectively, our team has worked with leading organizations, delivering automation and AI solutions."), and 5 client logos: Lockheed Martin, Deloitte, Nortel, T-Mobile, Cisco.
  2. Contact Form — Name, email, company (optional), message, submit button.

What's missing: - No hero section / value proposition - No description of what Agentmaker does or offers - No services/products section - No about page, team section, or case studies - No navigation or footer - No pricing or CTA beyond the contact form - No social proof beyond logos (no testimonials, metrics)

This is barely a landing page — it's a contact form with logos. It tells visitors nothing about the business.

SEO Review

Item Status Notes
<title> ⚠️ Generic Just "Agentmaker.io" — no keywords
Meta description ❌ Missing None
Open Graph tags ❌ Missing No og:title, og:description, og:image
Twitter cards ❌ Missing None
Sitemap ❌ Missing No sitemap.xml
robots.txt ❌ Missing None
Heading hierarchy ⚠️ Poor No <h1>, jumps to <h2> for both sections
Structured data ❌ Missing No JSON-LD
Canonical URL ❌ Missing None
Alt text on images ✅ OK Logo SVGs have alt text

SEO is essentially non-existent. The site would be invisible to search engines.

Performance

  • Bundle is tiny — React + Tailwind + 2 components. No issues.
  • SVG logos are fine — small vector files.
  • Google Fonts loaded via CSS import — could use <link rel="preconnect"> for faster load.
  • ⚠️ agentmakerio-web has node_modules committed in public/node-fetch, tr46, whatwg-url, etc. These would be deployed to Firebase Hosting and served publicly. This is a bug — wasted bandwidth and potential info leakage.

Design/UX Observations

  • Two sections stacked vertically with no visual hierarchy
  • No navigation, header, or footer
  • No branding beyond the favicon (agentmaker.svg)
  • Contact form uses browser alert() for success/error — poor UX
  • No loading state on form submission
  • No form validation beyond HTML required
  • No responsive design testing evident (Tailwind helps but layout is basic)
  • Color scheme uses CSS variables (bg-background, text-foreground, bg-primary) but they don't appear to be defined — likely relying on Tailwind defaults

Contact Form Backend Comparison

agentmaker-website (functions/contact-form/main.py): - ✅ Proper CORS handling - ✅ Input validation - ✅ Mailgun integration with Secret Manager for API key - ✅ Reply-To header set to submitter's email - ⚠️ Access-Control-Allow-Origin: * — should restrict to agentmaker.io domain - ⚠️ No rate limiting — vulnerable to spam

agentmakerio-web (functions/main.py): - ❌ No CORS headers - ✅ Pydantic validation - ⚠️ Stores IP address and user-agent in Firestore (privacy concern) - ⚠️ No rate limiting - ⚠️ Publishes to Pub/Sub topic but no subscriber seems defined

Part 2: paraguay-taxes

What Does It Do?

A CLI tool and Cloud Function for automating Paraguay tax filings on the SET Marangatu portal. It:

  1. Logs into the Marangatu tax portal (government website)
  2. Checks tax compliance status
  3. Auto-files Form 211 (monthly VAT/IVA) and Form 955 (invoice registry)
  4. Calculates late penalties
  5. Sends notifications via Mailgun, SendGrid, Twilio SMS, or WhatsApp
  6. Can run as a weekly scheduled Cloud Function on GCP

The actual Marangatu API client (marangatu.py) is not in the repo (likely a private package or was deleted). Only cli.py, notifications.py, and config files are present.

Security Assessment

Issue Severity Details
--allow-unauthenticated on Cloud Function 🔴 HIGH The README shows deploying with --allow-unauthenticated. Anyone can trigger tax filings by hitting the URL.
Credentials in env vars ⚠️ MEDIUM Tax portal credentials passed as plain env vars to Cloud Function instead of Secret Manager
Hardcoded backfill periods ⚠️ LOW cmd_backfill has hardcoded period lists — will become stale
No input sanitization on period ⚠️ LOW cmd_file passes period directly to API client
Missing marangatu.py ❓ UNKNOWN Can't audit the core client for security issues

Notifications Module

Well-structured with abstract base class pattern. Supports 5 notification backends. The MultiNotification class is a nice touch.

Issues: - No retry logic on failed notifications - No logging (just print statements) - format_compliance_report is clean but not used in cli.py (seems designed for the Cloud Function)

Recommendations

  1. Remove --allow-unauthenticated from Cloud Function deployment. Use Cloud Scheduler's OIDC authentication instead.
  2. Use Secret Manager for Marangatu credentials (like the website does for Mailgun).
  3. Add the marangatu.py module to the repo (or document where it comes from).
  4. Replace hardcoded backfill periods with dynamic detection from the portal.
  5. Add proper logging instead of print statements (use Python logging module).
  6. Add a DRY_RUN mode that's actually wired up (it's in .env.example but not referenced in code).

Overall Recommendations

Immediate (High Priority)

  1. Secure the paraguay-taxes Cloud Function — require authentication
  2. Move Marangatu credentials to Secret Manager
  3. Delete public/node_modules/ from agentmakerio-web — committed by accident
  4. Archive agentmakerio-web — consolidate to one repo

Short Term

  1. Rebuild the website — it needs actual content: hero, services, about, case studies
  2. Add SEO basics — meta tags, OG tags, sitemap, robots.txt, proper <h1>
  3. Add CORS restrictions to the contact form function (allow only agentmaker.io)
  4. Add rate limiting / reCAPTCHA to the contact form

Medium Term

  1. Consider a proper framework — Next.js or Astro for SSG/SSR and better SEO
  2. Add analytics — no tracking is currently in place
  3. Add a blog/content section for organic SEO
  4. Improve form UX — replace alert() with inline feedback, add loading states