Is your AI-built app leaking?

~11% of vibe-coded apps expose Supabase keys in client code. ~20% have public-readable database tables. Paste your URL — get a read-only security report in seconds.

What we check

Supabase

Project URLs and anon/service_role keys in client JS. We enumerate tables via the OpenAPI endpoint and sample one row per table to detect public-readable RLS misconfigs. We never write. We never use a discovered service_role key.

Firebase

Project IDs and open Realtime Database roots.

Other secrets

Stripe live keys, OpenAI / Anthropic keys, AWS access keys, GitHub tokens, Slack tokens, SendGrid, embedded private keys.

Why this exists

AI app builders generate frontends that talk directly to Supabase or Firebase using API keys baked into the client. They don't configure Row-Level Security or rules. The code compiles, the app works, and the database is wide open. Real breaches are happening — Moltbook leaked 1.5M tokens and 35K emails three days after launch from exactly this pattern.

Detection is becoming a commodity. Where vibecheck goes is remediation — auto-generated RLS policies, key rotation walkthroughs, continuous monitoring on every deploy.