Hack My Vibecode
// THREAT SCANNER //
> SYSTEM READY. AWAITING TARGET INPUT.

IS YOUR VIBE-CODED APP
// SAFE OR HACKABLE? //

With great power comes great vulnerabilities. Paste your GitHub URL or upload your code and find out what's at risk in under 60 seconds. Scope & limitations

REPO://
─── OR ───
* YOUR CODE STAYS PRIVATE. FILES SCANNED IN MEMORY AND IMMEDIATELY DISCARDED. NO HUMAN EVER SEES YOUR SOURCE CODE. * PRIVACY POLICY →

* Public repos scan without sign-in. to scan more. *

P0 · CRITICAL
Exposed keys. Surprise API bills, hijacked accounts, data breaches.
P1 · HIGH
Weak spots an attacker can exploit in minutes.
P2 · MEDIUM
Small holes that add up. Worth fixing before they get chained.
// THREAT ASSESSMENT PROTOCOL //
> 01.
SUBMIT TARGET
Paste your GitHub URL or upload a .zip archive. No account required for public repos.
> 02.
AUTOMATED SCAN
Our system fetches your config files, API routes, auth logic, and database queries — then runs them through a security model tuned for the patterns AI coding tools introduce.
> 03.
RECEIVE BRIEFING
Get severity-rated findings in plain English — P0, P1, and P2, each with the exact fix. Download your fix-roadmap.md and work through it in your AI IDE.
// SAMPLE AUDIT OUTPUT //
P0Supabase service_role key exposed in frontend bundle
lib/supabaseClient.ts:3
WHY IT MATTERS

Anyone who opens your app's source code can grab this key and access your entire database. Every user account, every email, every piece of data you store — readable, editable, deletable.

HOW TO FIX IT

Replace with the anon key in client-side code. Move service_role to server-only files behind SUPABASE_SERVICE_ROLE_KEY in .env.local — never in NEXT_PUBLIC_ variables.

P1No rate limiting on /api/auth/login endpoint
app/api/auth/login/route.ts:1
WHY IT MATTERS

With no limit on login attempts, someone can run a script and try millions of passwords against your users' accounts overnight. No alarm, no lockout, no sign it happened.

HOW TO FIX IT

Add rate limiting middleware to your login route. With Supabase: enable the built-in auth rate limiting in your project settings. With a custom route: use upstash/ratelimit — 5 attempts per 15 minutes per IP is a safe default.

P2Error details exposed to users
app/api/users/route.ts:14
WHY IT MATTERS

When something breaks, your app sends the full error to the browser — file paths, table names, stack traces. A blueprint for anyone looking.

HOW TO FIX IT

Replace raw error returns with a generic message: { error: 'Something went wrong' }. Log the real error server-side only. Never send stack traces, file paths, or DB messages to the client.