SECURITY / TOOL

VIBE CODE SCANNER

Multi-platform scanner for AI-generated web apps — whatever tool you built with. Detects exposed keys, missing auth, and open databases in under two minutes.

/ INSTANT SCAN

SCAN YOUR VIBE-CODED APP NOW

Lovable, Bolt, v0, Cursor, Claude Code, Replit, Windsurf — enter your deployed URL and we probe for the failure modes specific to AI-generated apps.

What is a vibe code scanner?

A vibe code scanner is an automated security tool that probes a live AI-generated web app for the specific failure modes that AI coding tools tend to ship: exposed API keys in the browser bundle, missing Row Level Security on Supabase and Firebase tables, admin routes without auth checks, and open storage buckets. It runs against your deployed URL, no source code required, and returns findings in under two minutes.

This scanner covers apps built with Lovable, Bolt.new, Cursor, Claude Code, v0, Replit, Base44, Figma Make, and Windsurf — the full family of AI-generated-app tools — and everything they typically deploy onto (Vercel, Netlify, Railway, Render, Fly.io).

The vibe-coded app security checklist

AI coding tools have a family of recurring gaps. This scanner tests all of them in one pass:

  • Missing Row Level Security on Supabase or Firebase tables
  • Exposed API keys in the frontend bundle (Stripe secret, Firebase service account, OpenAI, Anthropic, AWS)
  • Auth flows that check the user but skip role or permission checks
  • CORS set to * on endpoints that return sensitive data
  • Debug routes and admin panels that shipped to production
  • Public storage buckets with no ACL
  • Inline scripts that force an unsafe Content Security Policy
  • Webhooks with no signature verification
  • eval() or remote-code execution of user input

What the scanner detects

EXPOSED CREDENTIALS

API keys, OAuth secrets, JWT secrets, webhook secrets loaded into the frontend.

MISSING AUTH

Admin or privileged routes reachable without a session or role check.

OPEN DATABASES

Supabase tables, Firestore collections, and Mongo endpoints readable or writable anonymously.

BROKEN CORS

Cross-origin policies that allow any origin to read authenticated responses.

OPEN STORAGE

Public buckets on S3, Supabase Storage, or Firebase Storage with no access rules.

BOLA / IDOR

Change an ID in a request and read another user's data — the classic vibe-coded bug.

How to use

  1. Paste the URL of your deployed app into the scanner at the top of this page.
  2. Wait ~2 minutes — the scanner loads the app, captures every request, and probes common attack surfaces.
  3. Review findings by severity: Critical, High, Medium, Low. Each includes evidence (which URL, header, or bundle triggered the detection).
  4. Copy the fix prompt into Claude Code, Cursor, or Lovable to patch the issue.
  5. Rescan to confirm the fix before you ship.

Which AI coding tools have the most common issues?

Tool Primary stack Most common finding
Lovable React + Supabase Missing Row Level Security
Bolt Vite + any backend Hardcoded API keys in bundle
v0 Next.js + any backend Server actions with no auth
Cursor Any Generated code lacks input validation
Claude Code Any Missing rate limiting and authorization
Replit Full-stack Public databases and exposed .env
Windsurf Any Hardcoded secrets in frontend
/ FAQ

COMMON QUESTIONS

01
What is a vibe code scanner?
A vibe code scanner is an automated security tool that probes a deployed AI-generated web app for the specific failure modes that AI coding tools tend to ship: exposed API keys in the frontend bundle, missing Row Level Security on Supabase and Firebase tables, admin routes without auth checks, and open storage buckets. It runs against the live URL, no source code required.
Q&A
02
What platforms does this cover?
Lovable, Bolt.new, Cursor-built apps, Claude Code projects, v0, Replit, Base44, Figma Make, and Windsurf. Any web app deployed on Vercel, Netlify, Railway, Render, Fly.io, or standalone hosting.
Q&A
03
What does 'vibe coding' mean?
Vibe coding is building software primarily through natural-language prompts to AI tools like Lovable, Cursor, Bolt, Claude Code, or v0 — iterating quickly and not reading most of the generated code. The term was coined by Andrej Karpathy in early 2025. The security trade-off is that AI-generated code ships with a predictable set of gaps that the builder usually hasn't audited.
Q&A
04
How is this different from a traditional pentest?
A pentest is a human-driven, usually week-long engagement that covers any vulnerability class. This scanner is a minutes-long automated probe focused on the specific failure patterns of AI-generated apps. Start with the scanner for coverage, then engage a pentest if you hold regulated data.
Q&A
05
Does this replace platform-specific scanners?
No — it complements them. Use this first for breadth across your stack, then the platform-specific scanner (Lovable, Firebase, Supabase RLS) for depth on your primary layer.
Q&A
06
Is the scan safe to run on production?
Yes. The scanner only fetches the same URL a normal visitor would load, inspects the frontend, and probes public endpoints for default exposure. It does not attempt destructive actions, credential stuffing, or DoS. You can run it as often as you like.
Q&A
07
What do I do with the findings?
Each finding includes severity, evidence, and a fix prompt you can paste back into Claude Code, Cursor, or Lovable. Critical findings (exposed secret keys, anon-readable user tables) should be fixed before any other work. The rescan button verifies the fix in place.
Q&A
08
Is the tool free?
The surface scan is free and unlimited. The deep agent scan — which tests RLS policies, auth bypasses, and API authorization — is part of the paid VibeEval product with a 14-day trial and no credit card required.
Q&A
/ NEXT STEP

DEEP SCAN WITH THE FULL AGENT

Go beyond the surface scan. The agent tests RLS, auth bypasses, and every API route.

START DEEP SCAN