You built it on Lovable, Bolt, v0, Supabase, or Firebase in a weekend. Before real users show up, check it for the leaks that bite vibe-coded apps — exposed keys, open databases, missing auth.
In a scan of 101 AI-built apps, 68% had a security issue and 1 in 4 shipped their database key to the browser.
$ npx leaktrap
No install. No signup. Your code never leaves your machine.
LeakTrap — production-readiness scan🔴 Score: 0/100 — Do not ship2 critical6 high0 medium0 low
────────────────────────────────────────────
1. [CRITICAL] Stripe live secret key in browser code
src/config.js:1
Anyone who views your site's source can spend your money.
Fix: Move to a server route, use an env var, rotate the key.
2. [HIGH] Table "profiles" has Row-Level Security OFF
supabase/migrations/001_init.sql:1
Your whole table is readable via the public anon key.
Fix: ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;
What it checks
01
Exposed API keys
Secret keys shipped to the browser where anyone can grab them.
02
Supabase RLS gaps
Tables with row-level security off — the #1 vibe-code data leak.
03
Firebase rules
allow read, write: if true — anyone can read or wipe your DB.
04
Unauthenticated endpoints
Write routes anyone can call directly, bypassing your app.
05
Path traversal
User input in file paths that can read ../../.env.
06
Committed secrets & DB URLs
Keys — or postgres://user:pass@… — pushed to git.
07
Open CORS
Wildcard origins that let other sites act as your users.
08
Tokens in localStorage
Auth tokens any XSS on your page can steal to impersonate users.
Want it to run itself?
The free CLI catches leaks when you remember to run it. Get on the list for auto-fix PRs and monitoring on every push — so a leak never sneaks back in.