vibeeval Try a scan →
Now listening · 14-day gentle trial

A gentler way to check
if your AI-coded app
is actually safe.

You shipped fast. That's the point. We quietly probe your running app the way a curious attacker would — and hand you a friendly list of what to fix, with prompts ready to paste into Claude or Cursor.

Run a free scan See how it feels ↓
◌ Free to start ◌ No credit card ◌ Results in under a minute
app.vibe-eval.com/scan/acme-ledger live
Supabase table readable by anyone
Public role can SELECT from profiles. Gentle fix prompt below.
High · RLS
Stripe key shipped to the browser
Detected a live publishable key — and a secret one. The second one shouldn't be here.
Critical · Leak
Auth cookie never expires
Session tokens linger indefinitely. A few gentle words of policy would help.
Medium · Auth
Scans this week
1,480
Each finding traced, each fix kind.
Avg. time to first verdict
48s
— what we quietly notice

Three things AI tools almost always leave unlocked.

Lovable, Cursor, Bolt, Replit — they ship working apps. But "working" and "safe" are different words.

No. 01

Any visitor can see everyone's data.

Missing row-level security. Your Supabase tables become readable by anyone with a browser console. We check each one, gently.

No. 02

Your secret keys are in the bundle.

Found in roughly one of four apps we scan. Your Stripe, OpenAI, or admin key hitching a ride in the JavaScript that ships to every visitor.

No. 03

Your login has a quiet backdoor.

Endpoints without checks, tokens that never expire, role arrays a user can edit themselves. Polite on the surface, wide open underneath.

— three steps, no hurry

From your URL to a kind list of fixes.

No SDK. No config. No code changes. The first pass finishes before your coffee cools.

i

Paste the URL.

Drop in your live endpoint. We work around CAPTCHAs, cookie walls, and the usual gatekeepers — no tricks required on your side.

ii

We probe, softly.

An autonomous agent tests auth bypasses, exposed keys, and broken access — across real browsers, real routes, real payloads.

iii

You fix, on your terms.

Each finding arrives with a short prompt you can paste into Claude Code or Cursor. Rescan tomorrow to watch the list shrink.

— simple, fair, no tiers you don't need

Pay for peace, not paperwork.

Start free. Upgrade when you want the whole agent watching your back.

A gentle start

For the solo builder who'd like to sleep through the weekend.

$19/ month
  • Unlimited projects
  • 310+ security probes
  • Daily rescans
  • Fix prompts ready for Claude & Cursor
  • Email us anytime
Begin quietly
Most gentle on teams
A small team

For founders shipping to users who expect the basics done right.

$79/ month
  • Five seats, shared reports
  • GDPR / SOC2 / HIPAA gap check
  • Scheduled scans & webhooks
  • MCP integration
  • One onboarding call, on us
Bring the team

14-day free trial · cancel anytime · or say hello about Lifetime & Enterprise.

— honest answers, gently given

A few questions, in case you were wondering.

Does it really find real vulnerabilities?

Yes. The average scan on a new AI-coded app finds 8–12 real issues. Each comes with severity, trace, and a gentle prompt to fix it. No padding.

Will it break my app?

No. The default mode runs read-only probes that are safe for production. The louder stuff is opt-in and very clearly labelled.

Do I need security expertise to use this?

Not at all. Every finding is explained in plain language and paired with a one-paragraph fix prompt you can paste into Claude Code or Cursor.

How long does a scan take?

A first verdict lands in under 60 seconds. The full deep pass takes 3–8 minutes, depending on how many routes and auth flows your app has.

Is my data safe with you?

Yes. We never store credentials, never share results, and keep scan artefacts on your account for only as long as you want them there.

Be the founder who thought ahead.

Your future self, and your users, will thank you. Let's find what's exposed before a stranger on Twitter does.

Start for free