Critical
Exposed backend access
Your Supabase anon key and Firebase config ship to the browser by design. We confirm whether they actually read data that Row-Level Security or rules should protect — not just whether a policy exists.
Built for Lovable · Bolt · v0 · Cursor · Replit
Your AI builder shipped fast.
Did it ship safely?
Lovable, Bolt, v0, Cursor and Replit generate working apps in minutes — and routinely leak Supabase keys, skip Row-Level Security, and bake secrets into the browser bundle. VibeSafely scans for those exact flaws and hands you the fix, before someone else finds them first.
Free first scan No credit card Read-only, non-destructive checks
Understands the stacks AI builders ship
Lovable Bolt v0 Cursor Replit Supabase Firebase Vercel Lovable Bolt v0 Cursor Replit Supabase Firebase Vercel
The pattern
Builders move fast. The same holes ship every time.
AI builders reproduce a predictable set of security defects — because the underlying patterns are predictable. That's exactly what makes them findable.
- 10.3%
- of sampled Lovable apps exposed real user data through missing Row-Level Security
- CVE-2025-48757
- 98%
- of apps behind a public Supabase URL had at least one exploitable flaw
- symbioticsec.ai
- +37.6%
- more critical vulnerabilities after just five AI build iterations
- vibe-eval.com
How it works
From URL to fix in three steps
No installs, no agents, no config. If you can paste a link, you can run a scan.
- 01
Paste your URL
Point VibeSafely at any app you own or are authorized to test. No installs, no agents, no config — just the address.
- 02
We fingerprint, then probe
VibeSafely renders the app, detects the platform and backend it's built on, and runs read-only checks tuned to that exact stack — Supabase, Firebase, Vercel and more.
- 03
Get the report — and the fix
Every finding comes with a severity, the evidence we found, and a copy-paste prompt you drop straight into Cursor or Claude. Re-scan to confirm it's gone.
What we check
The flaws AI builders leave behind
Every check is remote and read-only. We don't just look for the mistake — we confirm whether it actually exposes your data.
Critical
Secrets in the bundle
We sweep every loaded script for service-role JWTs, sk_live keys, AWS credentials and API tokens that should never reach the client — and decode them to tell a real leak from a harmless public key.
Critical
Exposed sensitive files
Open .env files, committed .git directories, config dumps and stray SQL backups are one request away. We probe the common paths and flag anything that returns the real thing.
Critical
Missing & broken auth
API routes that answer without a session, GraphQL introspection left on, IDOR-shaped endpoints — we replay discovered routes read-only and flag the ones returning data they shouldn't.
Critical
Open storage buckets
Public Supabase, Firebase and S3/GCS buckets that list or hand back objects to anyone. We check the storage URLs your app already uses — read-only, never touching your files.
High
Headers, source maps & TLS
Missing CSP and HSTS, source maps that hand attackers your original code, weak TLS and CORS that trusts any origin. The unglamorous gaps that turn one bug into a breach.
The report
A scan you can act on in minutes
No vague risk scores. Every finding names the exact endpoint, the evidence we captured, and a copy-paste prompt that fixes it in your AI editor. Then re-scan to prove it's gone.
- Severity, evidence and remediation on every finding
- Drop-in fix prompts for Cursor, Claude Code & Windsurf
- Structured JSON export for your pipeline
vibesafely.com/report/your-app.com
Scan complete · 27s
your-app.com
2
Critical
1
High
1
Medium
- Critical
Supabase anon key reads protected `profiles` table
GET /rest/v1/profiles?select=* → 200, 1,204 rows
- Critical
service_role JWT hardcoded in main bundle
assets/index-4f9a.js · role: service_role
- High
Source map exposes original TSX source
assets/index-4f9a.js.map · sourcesContent present
- Medium
Missing Content-Security-Policy header
GET / · no CSP on document response
Fix prompt ready for every finding
Copy
Why VibeSafely
Built for the way AI builders break
Generic scanners run the same checklist on everything. VibeSafely knows the failure modes specific to AI-builder stacks — and proves them.
Active data-accessibility probing
Most scanners check that an RLS policy exists. We confirm whether your anon key can actually read protected rows — the difference between a checkbox and an answer.
Cross-stack in one pass
Supabase, Firebase, Vercel, raw REST and GraphQL — one scan, one report. No stitching together five tools that each see half the picture.
BaaS-aware by design
VibeSafely understands Supabase, Firebase and Clerk natively — so it knows when an exposed key is expected and when it's a five-alarm fire.
AI-ready fixes
Every finding ships with a remediation prompt engineered for Cursor, Claude Code and Windsurf. Paste it in, ship the fix, re-scan to confirm.
Non-destructive by design
Read-only GETs and introspection only. VibeSafely never writes, never deletes, never submits credentials. Your data is exactly as you left it.
Authorized targets only
Scope is enforced in the tool, not left to a checkbox. VibeSafely scans the host you point it at and nothing else — ethical by construction.
Builders
Shipping safer, without a security team
“Vibe-coded a waitlist app on Saturday, ran VibeSafely on Sunday — it flagged my Supabase anon key reading the whole users table. Fixed it in ten minutes with the prompt it gave me.”
“I don't really write code — Cursor does. So I had no idea whether anything was secure. VibeSafely found four critical issues and told me exactly what to paste back into Cursor.”
“We ship MVPs for clients on tight deadlines. VibeSafely is the last step before we hand anything over. It's caught something on basically every project.”
Pricing
Free to find. Pay to fix and keep watch.
Your first scan is free, no credit card. Upgrade when you want fixes, history and monitoring.
Free
$0 forever
One full scan to see what you're working with.
- One complete scan
- All critical-severity checks
- Shareable report link
- No credit card
Most popular
Pro
$19 / month
For builders shipping continuously.
- Unlimited scans
- Every check, all severities
- AI-ready fix prompts
- Re-scan & finding history
- Email alerts on new issues
Agency
$99 / month
For teams shipping client work.
- Everything in Pro
- Multiple sites & clients
- Scheduled re-scans
- Baseline diffing over time
- Branded, shareable reports
All plans run read-only, non-destructive checks against authorized targets only.
FAQ
Frequently asked questions
What is a "vibe-coded" app?
An app generated largely by AI builders and coding agents — Lovable, Bolt, v0, Cursor, Replit and friends. They ship working software fast, but they tend to reproduce the same handful of security mistakes because the underlying patterns are predictable.
Which platforms and stacks do you support?
VibeSafely fingerprints the platform first, then runs checks tuned to it. Today that covers Lovable, Bolt, v0, Cursor- and Replit-built apps, with deep support for Supabase, Firebase, Vercel and Clerk backends. Generic web checks (headers, TLS, exposed files) run on any site.
Is scanning safe — could it break my site?
Yes, it's safe. Every check is read-only: GET requests, introspection and SELECT-style probes. VibeSafely never writes, updates or deletes data, never submits credentials, and never runs denial-of-service traffic. This is a hard design constraint, not a setting.
Do I need to know anything about security?
No. Findings are written in plain language with a severity, the evidence we found, and a step-by-step fix — including a prompt you can paste straight into your AI editor. If you can paste a URL, you can run a scan.
Can I scan a site I don't own?
Only sites you own or are explicitly authorized to test. Scope is enforced in the tool, and we scan the host you provide and nothing else. Scanning without authorization is against our terms — and the law.
How is this different from a generic security scanner?
Generic scanners run the same checklist against everything. VibeSafely knows the failure modes specific to AI-builder stacks — and actively confirms data exposure rather than just checking whether a policy is present. That's how it catches the issues others miss without drowning you in false positives.
How much does it cost?
Your first scan is free, no credit card. Pro is $19/month for unlimited scans and fix prompts; Agency is $99/month for multi-site, scheduled re-scans and baseline diffing. You only need to upgrade once you want to fix and keep monitoring.
Find out what your AI builder left exposed.
One free scan. Sixty seconds. No credit card.