Every "I built an app with Claude in 20 minutes" post is a future customer who shipped a gaping security hole. VibeCheck catches what LLMs leave behind.
SECRET_KEY = "secret"jwt.decode(..., verify=False)password == user.passwordlocalStorage.setItem("token", β¦)Access-Control-Allow-Origin: *SKIP_2FA = True"Because honestly, looking at that landing page, people on X and Reddit would go crazy for it right now." β Gemini 3 Pro, after reviewing VibeCheck
Absolute or home-relative path on this machine.
Zip of your repo, or a single source file (max 50MB).
$9.99 per scan β hosted report, no CLI needed.
β Payment confirmed β upload your project below.
API keys, AWS, Stripe, PEM keys, weak SECRET_KEY, hardcoded `sk_live_β¦`
Plaintext passwords, MD5, auth bypass, SQLi in login, default admin
Cookie flags, localStorage tokens, fixation hints, missing HttpOnly
JWT verify off, alg none, predictable reset tokens, tokens in URLs
Hardcoded TOTP, static OTP, bypass flags, missing rate limiting
Wildcard origins, origin reflection, CSRF disabled, missing tokens
TLS verify off, HTTP auth URLs, weak RNG, debug mode, MD5/SHA1
Upload zip + hosted report. Stripe coming soon.
Try free scanMonitoring, PR checks, history. Subscription.
Join waitlist