Free · open source · runs locally

Is your AI-built app safe to ship?

You built it on Lovable, Bolt, v0, or Supabase in a weekend. Before real users show up, check it for the leaks that bite vibe-coded apps — exposed keys, open databases, missing auth.

$ npx leaktrap
No install. No signup. Your code never leaves your machine.

What it checks

01

Exposed API keys

Secret keys shipped to the browser where anyone can grab them.

02

Supabase RLS gaps

Tables with row-level security off — the #1 vibe-code data leak.

03

Unauthenticated endpoints

Write routes anyone can call directly, bypassing your app.

04

Path traversal

User input in file paths that can read ../../.env.

05

Committed secrets

Keys sitting in .env or source that got pushed to git.

06

Open CORS

Wildcard origins that let other sites act as your users.

Want it to run itself?

The free CLI catches leaks when you remember to run it. Get on the list for auto-fix PRs and monitoring on every push — so a leak never sneaks back in.

Pricing

CLI
Free forever

Full scanner. Local. Open source.

FIX + MONITOR
$29/mo

Auto-fix PRs + re-scan on every push.

AGENCY
$199/mo

Multiple projects + client-ready reports.