Free · open source · runs locally

Is your AI-built app safe to ship?

You built it on Lovable, Bolt, v0, Supabase, or Firebase in a weekend. Before real users show up, check it for the leaks that bite vibe-coded apps — exposed keys, open databases, missing auth.

In a scan of 101 AI-built apps, 68% had a security issue and 1 in 4 shipped their database key to the browser.

$ npx leaktrap
No install. No signup. Your code never leaves your machine.

What it checks

01

Exposed API keys

Secret keys shipped to the browser where anyone can grab them.

02

Supabase RLS gaps

Tables with row-level security off — the #1 vibe-code data leak.

03

Firebase rules

allow read, write: if true — anyone can read or wipe your DB.

04

Unauthenticated endpoints

Write routes anyone can call directly, bypassing your app.

05

Path traversal

User input in file paths that can read ../../.env.

06

Committed secrets & DB URLs

Keys — or postgres://user:pass@… — pushed to git.

07

Open CORS

Wildcard origins that let other sites act as your users.

08

Tokens in localStorage

Auth tokens any XSS on your page can steal to impersonate users.

Want it to run itself?

The free CLI catches leaks when you remember to run it. Get on the list for auto-fix PRs and monitoring on every push — so a leak never sneaks back in.

Pricing

CLI
Free forever

Full scanner. Local. Open source.

FIX + MONITOR
$29/mo

Auto-fix PRs + re-scan on every push.

AGENCY
$199/mo

Multiple projects + client-ready reports.