VibeShield
Scanning for 24 known vibe-code vulnerability patterns

The security layer for vibe-coded apps.

Your vibe-coded app probably has security holes.
Find them in 30 seconds.

VibeShield scans your Lovable, Bolt, Cursor, v0, or Replit app for the 24 vulnerability patterns AI keeps shipping. Get the exact fix prompt to paste into your AI tool.

No signup · Results in 30 seconds · Free first scan

Built for apps shipped on:

LovableBoltv0CursorReplitBase44Windsurf

Real breaches we'd have caught.

Vibe-coded apps are getting hacked every week. The patterns are predictable. The fixes are mechanical.

CRITICAL

170 Lovable apps · 18,697 records exposed

Researcher Matt Palmer scanned 1,645 Lovable apps in May 2025 and found that 10.3% had Supabase Row Level Security misconfigured. Names, emails, financial info, home addresses, and API keys exposed via direct REST API calls.

Read the report
CRITICAL

1.5M API tokens leaked · 35K emails exposed

Wiz researchers found Moltbook's Supabase RLS misconfigured in January 2026. The founder publicly stated: "I didn't write a single line of code for Moltbook."

Read the report
CRITICAL

Students could change their own grades

A Lovable-showcased EdTech app shipped with 16 vulnerabilities, 6 critical. Anyone could delete accounts in a single API call. 18,697 student records exposed.

Read the report

24 things AI keeps getting wrong.

Every rule in our library comes from a real breach, a real CVE, or a documented pattern in Escape's 5,600-app vulnerability study.

  • Exposed Stripe secret keys

    sk_live_... keys hardcoded in your client bundle

  • Exposed OpenAI / Anthropic keys

    LLM API keys shipped to the browser

  • Supabase service-role key leaks

    The key that bypasses all your RLS, in your JS

  • Missing Row Level Security

    Anyone with your anon key can read your tables

  • Hardcoded user IDs in routes

    The BOLA pattern that exposed 18K student records

  • Database connection strings

    postgres://user:pass@... right in the bundle

  • Missing CSP / HSTS headers

    The defenses your AI didn't add

  • Hallucinated dependencies

    Packages your AI invented that don't exist

See all 24 checks

Honest pricing.

Free for one scan. $9 to see every fix. $29/mo to never worry again.

Free

One scan, no signup

$0
  • One public-URL scan
  • Top 5 findings shown
  • Severity score
  • Fix prompts blurred
Scan for free
MOST POPULAR

Deep Scan

One-time, full report

$9
  • All findings (every severity)
  • All fix prompts unlocked
  • Platform-tuned fix prompts (Lovable, Bolt, Cursor, v0, Replit)
  • PDF report
Scan, then unlock for $9

Continuous

per month

$29/mo
  • Everything in Deep Scan
  • Auto re-scan on every Git push
  • Daily URL re-prober
  • Slack / Discord alerts
  • 1 project
Email me about continuous

Questions builders ask.

Will this work on my Lovable / Bolt / Cursor / v0 / Replit app?
Yes. The scanner is designed specifically for apps built on these platforms — the rule library is tuned to the patterns each one tends to produce. Just paste the deployed URL.
Do you store my code?
No. The scanner fetches the public HTML and JS bundles from your URL — exactly what any visitor's browser fetches. We don't clone your repo, we don't store your bundle content, and any secrets we find are redacted to the first 6 characters before being shown to you. Full data policy in our Privacy page.
How is this different from Snyk / Aikido / Semgrep?
Those tools are great for traditional dev teams with security engineers. They're priced for that audience too. VibeShield is for the indie founder who built their app with Lovable in a weekend and just wants to know if their database is exposed. Different product, different price.
Will the AI fix prompts actually work?
For the 80% of findings that are mechanical (exposed keys, missing RLS, missing headers), yes — they're tested against real Lovable/Cursor/Bolt projects and reliably produce a working fix. For the 20% that require judgment (architectural changes), the prompt gets you 90% of the way and you finish it yourself.
Do I need to give you my GitHub access?
Only for the $29/mo continuous plan. The free scan and the $9 deep scan only need your deployed URL. GitHub OAuth is read-only and only on repos you explicitly add.
What if you find something critical?
We tell you. We give you the exact fix prompt. We don't email you 14 times to upgrade. If your app is leaking secrets right now, we'd rather you fix it than pay us.