You built it on Lovable, Bolt, v0, or Supabase in a weekend. Before real users show up, check it for the leaks that bite vibe-coded apps — exposed keys, open databases, missing auth.
$ npx leaktrap
No install. No signup. Your code never leaves your machine.
LeakTrap — production-readiness scan🔴 Score: 0/100 — Do not ship2 critical6 high0 medium0 low
────────────────────────────────────────────
1. [CRITICAL] Stripe live secret key in browser code
src/config.js:1
Anyone who views your site's source can spend your money.
Fix: Move to a server route, use an env var, rotate the key.
2. [HIGH] Table "profiles" has Row-Level Security OFF
supabase/migrations/001_init.sql:1
Your whole table is readable via the public anon key.
Fix: ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;
What it checks
01
Exposed API keys
Secret keys shipped to the browser where anyone can grab them.
02
Supabase RLS gaps
Tables with row-level security off — the #1 vibe-code data leak.
03
Unauthenticated endpoints
Write routes anyone can call directly, bypassing your app.
04
Path traversal
User input in file paths that can read ../../.env.
05
Committed secrets
Keys sitting in .env or source that got pushed to git.
06
Open CORS
Wildcard origins that let other sites act as your users.
Want it to run itself?
The free CLI catches leaks when you remember to run it. Get on the list for auto-fix PRs and monitoring on every push — so a leak never sneaks back in.