A free, passive security review for web applications written with Lovable, Cursor, Replit, v0, Bolt — or by hand, in an evening, with Supabase open in the next tab. Submit a URL; receive a graded report in approximately thirty seconds.
The tools are very good. The defaults are catastrophic. Lovable will happily wire your service-role key into the frontend bundle and tell you the build succeeded. Cursor will scaffold a Firebase project with allow read, write: if true, because that is what the quickstart says, and never warn you. v0 will paste your OpenAI key in plaintext and call the result production-ready.
Most builders have no idea — until someone tells them, or someone exploits it. vybckr is the first thing that tells you. Free, passive, in thirty seconds, before someone else figures it out.1
1 If somebody else already has, they will not be writing in.
Each chapter is a family of checks. Approximately thirty in total. All passive: nothing authenticated, nothing written, nothing brute-forced.
Service-role tokens, Stripe live keys, OpenAI credentials, GitHub PATs, JWT-signed admin tokens. Lifted from your JavaScript bundle, source maps, environment files, and HTML head, where the model placed them and never thought about it again.
Supabase tables readable without authentication. Firestore rule files still reading allow read, write: if true. Postgres REST endpoints honouring anonymous queries. We probe fifteen common table names and the OpenAPI dump.
Anonymous sign-up never disabled. Clerk public keys whose payload reveals user metadata. Convex endpoints accepting unvalidated input. Defaults appropriate to development, never reviewed before production.
Supabase Storage buckets enumerable to anonymous clients. Firebase Storage discoverable. S3 returning bucket names through a CORS misconfiguration. The "private avatars" folder that is, in practice, an index.
Vercel preview deployments leaking environment variables. Next.js source maps available in production. The .env file served as a 200 OK. Cookies missing the Secure flag. Headers expected and quietly absent.
All three were observed on production sites. None were theoretical. The bugs are reproducible at the date of writing.
A B2B SaaS shipped sk_live_… directly in the React bundle. Anyone reading the page source could refund any customer.
The users table had no Row-Level Security policy. /rest/v1/users?select=email,name returned the full member list to any caller with the (public) anon key.
A marketplace launched with the Firebase quickstart rule still in place. The orders collection was world-writeable.
The full method is documented at /how-it-works. The summary is short.
Any public site. We treat it the way a stranger would on day one — passive recon, nothing authenticated.
Bundle inspection, header sweep, vendor fingerprinting, vendor-specific deep dives. Streaming, ~30 seconds.
Each finding ships with plain-English impact and a one-paragraph fix. Re-scan after fixing. Share if you want.
Lovable, Cursor, Bolt, v0, Replit Agent — or a hand-rolled Next.js project where you wired Supabase yourself in an evening. Not because the tools are bad. Because the security defaults have not caught up to how quickly the tools ship.
Yes. The scan is free, no signup, no credit card.
We store the result so you can share a link. Result pages are noindex by default. Deletion on request.
A Quick Scan only looks at your public surface — the same as opening DevTools in a browser. We never log in, never POST.
Snyk scans dependencies. Sentry catches errors. A pentest costs $5–25k. We catch the specific things AI builders ship by accident.
No. We catch the catastrophic, beginner-mistake stuff that AI tools generate by default. Logic bugs need a human.
BotBrained. We ship AI-leverage tools for indie builders. vybckr is free because the most-asked question we hear is "is my Lovable app safe?"
Find out what the model wrote into your bundle while you weren't looking.