bleek.dev
Free scan
89% of AI-built apps ship with vulnerabilities

Your vibe-coded app
is probably leaking.

Free scanner for apps built with Lovable, Bolt, Cursor, v0, Replit and Claude Code. Paste your URL — we find every leak in 60 seconds.

No signup. No code access. Read-only — we never touch your data.

bleek scan · |

Waiting for URL…

11%

of vibe-coded apps leak Supabase keys

SupaExplorer · 20,052 URLs
10%

of Lovable apps shipped with broken RLS (CVE-2025-48757)

Matt Palmer · disclosure
1.5M

auth tokens leaked from one Lovable app in 72 hours

Moltbook hack · Jan 2026
$200K

in Stripe payments processed with broken webhooks

McKelvey · 7 failures from rescuing vibe-coded apps
How it works

Three steps. One URL. Every leak.

01

Paste your URL

No signup, no code access. Just the URL of your live vibe-coded app.

02

We scan it like an attacker would

14 checks across secrets, auth, RLS, headers, and injection — read-only, never destructive.

03

Get every leak + how to fix it

AI-ready fix instructions you paste back into Cursor, Claude or Lovable. Or let our humans ship the PR.

Coverage

Every leak class AI ships by default.

14 checks anchored on OWASP Top 10:2025, OWASP LLM Top 10:2025, and the 2025 CWE Top 25 — calibrated to the failure modes that actually break vibe-coded apps in production.

Exposed secrets

Supabase service_role, OpenAI, Stripe, AWS keys in your JS bundle.

Supabase RLS

We extract your anon key and probe every table the way an attacker would.

Auth bypasses

Client-side-only checks, missing server enforcement, alternate-path admin routes.

Security headers

CSP, HSTS, X-Frame-Options, cookie flags — what AI forgets to set.

Exposed files

.env, .git, source maps, /admin, /debug — anything you didn't mean to ship.

Injection probes

Reflected XSS, SQLi error signatures, path traversal, open redirects.

Pricing

Start free. Pay only if it finds something.

$0forever

Free Scan

The embarrassing stuff. Caught from outside.

  • Security headers (CSP, HSTS, X-Frame-Options, ...)
  • Cookie flags (Secure, HttpOnly, SameSite)
  • TLS protocol + cipher quality
  • Exposed files (.env, .git, /admin, source maps)
  • Public secrets in JS bundles (Stripe pk, OpenAI, AWS)
  • CORS misconfiguration
  • Public scorecard report
Recommended
$19one-time

Deep Scan

All 14 checks. The ones AI tools actually break.

  • Everything in Free Scan, plus:
  • Supabase RLS probing (CVE-2025-48757)
  • Firebase Realtime / Firestore rule probing
  • Reflected XSS + SQLi error-signature probes
  • Path traversal + open-redirect probes
  • Auth bypass via alternate path (CWE-288)
  • Dependency CVE scan (Retire.js + OSV.dev)
  • AI-ready fix instructions for Cursor / Claude / Lovable
  • Embeddable trust badge if you pass
From $300fixed scope

Human Checker

The 8 things no URL scanner can confirm.

  • Everything in Deep Scan, plus:
  • 2-account IDOR / BOLA testing
  • Business-logic flaws (race conditions, step-skipping, coupons)
  • Payment webhook signature verification (Stripe, PayPal)
  • Stored XSS + second-order injection
  • LLM excessive-agency / agentic blast-radius
  • Compliance signals (GDPR, PCI, HIPAA)
  • Fix shipped as a pull request you approve
  • Direct line to the founder

No scanner can confirm IDOR, business-logic flaws, or webhook integrity from a URL alone. That's what the human tier is for.

Read-only by design

We never run exploits. We probe. We observe. We report.

Your code stays yours

Free scan needs no access. Deep scan needs no access. Human-tier fixes are pull requests you approve.

Named founder

Ali Saeed runs this. No agency, no offshore team, no ghosting.