passive scan · read-only · no code access

Is your AI-built app leaking?

Paste a URL. ShipSafe reads your deployed app and checks the exact things Lovable, Bolt, v0, Cursor and Replit ship with - exposed API keys, open databases, leaked files - then hands you a one-click fix.

I own this app or am authorized to test it, and I agree to the terms & privacy.

free · no signup · we never touch your code

shipsafe - scan

$ shipsafe scan yourapp.com
✓ fetched app · 11 JS bundles        1.8s
✓ probed Supabase · 36 tables        0.9s
! Stripe secret key in bundle        CRITICAL
! Supabase table readable by anyone  CRITICAL
! .env file downloadable             HIGH
──────────────────────────────────
  score 34/100 · 3 issues, 2 critical
→ fix prompt ready · paste into Cursor/Claude

read-only

We only read what is already public on your site. No code access, no writes, nothing changed.

nothing stored

We never keep your code, keys, or scan results. Any secret we surface is redacted on sight.

battle-tested

Calibrated against 200+ real AI-built apps before launch, tuned to avoid false alarms.

no signup

Free. No account, no card, no email needed to run a scan.

/ the state of vibe coding

65%

of vibe-coded apps ship with a security issue

10.5%

of AI-built apps are actually secure

2,000+

live apps found publicly leaking user data

/ how it works

Find it, fix it, prove it’s gone.

READ

We read your live app, not your promises.

Paste a URL. ShipSafe fetches your real deployed app - the JS bundle, your database, the files on your server - and checks the mistakes AI builders make. No install, no code access.

FIX

One prompt, pasted into your agent.

Every issue ships with a plain-English explanation and a copy-paste fix prompt for Cursor, Claude or Lovable. You don't need the jargon - your agent does the fix.

VERIFY

Re-scan to prove it's actually closed.

Run the fix, scan again. ShipSafe confirms the leak is gone - so you're not taking your own AI's word for it. That loop is the whole point.

/ what it catches

The leaks AI builders ship by default.

KEYS

Exposed API keys

OpenAI, Stripe, AWS, Google, SendGrid, GitHub and DB strings sitting in your public JavaScript.

13 key types

Open databases

Supabase tables readable by anyone because Row Level Security was never turned on.

36 tables probed

FILES

Leaked files

Your .env and .git served publicly - secrets and full source, downloadable.

/.env · /.git

HEADERS

Missing protections

No security headers, exposed source maps, and the defaults that make attacks easy.

HSTS · CSP · maps

/ start

Find your leaks in 30 seconds.

Free, no signup, no code access. Just paste your link.

Scan my app