▍ The Meridian Lab · Security inspection
Inspect any AI-built app for exposed credentials and open databases.
Read-only. Paste a URL, get a report in five seconds. No signup, no SDK, no source code.
Anonymized live feed
What vibecheck has flagged across vibe-coded apps.
Rule + severity + platform shape only — no URLs, no PII. Updated as scans run.
Built for the agent loop
Point any coding agent at /skill.md.
One self-contained markdown manifest tells the agent when to scan, how to invoke the free tier, when to escalate to a paid deep scan with explicit user authorization, and how to surface findings to the human in plain-English consequences — not raw rule names.
Works with Claude Code, Cursor, Cline, Codex CLI, devin, custom agents. MCP server at /api/mcp. Free up to 30 scans/hour per IP.
# Free scan — no auth, no signup curl -X POST https://vibecheck.themeridianlab.com/api/scan \ -H "Content-Type: application/json" \ -d '{"url":"https://your-app.com","consent":true}' # Deep scan (paid) — adds subdomain CT enumeration + sourcemap re-scan curl -X POST https://vibecheck.themeridianlab.com/api/scan \ -H "Authorization: Bearer $VIBECHECK_API_KEY" \ -H "Content-Type: application/json" \ -d '{"url":"https://your-app.com","consent":true,"deep":true}' # Anonymized recent findings (public, no auth) curl https://vibecheck.themeridianlab.com/api/feed?limit=25
Frequently asked
Five-second answers.
What does vibecheck inspect?
Fifteen families. Supabase: project URLs, anon and service_role keys, public-readable tables via OpenAPI enumeration, PII column flags. Firebase: project IDs, Realtime Database root, Firestore collections, Storage buckets. BaaS: Convex, Appwrite, Pocketbase. Secrets: 60+ patterns across Stripe, OpenAI, Anthropic, AWS, GitHub, Slack, SendGrid, the AI inference platforms, observability tokens, financial APIs, embedded private keys. JWTs: alg=none, hardcoded admin claims, no-exp tokens, long-lived access tokens. Plus paths, API surface, response headers, storage providers, framework dev-tools, LLM prompts, default credentials, info leaks, open redirects, and (deep-scan) subdomain enumeration.
Is it safe to run against production?
Yes. Inspections are read-only. We never write, modify, or delete database rows. We never use a discovered service_role key — its presence is the finding; using it would be exfiltration. We sample one row per public-readable table to extract column names, then discard the body. PII values are never stored.
How long does an inspection take?
Five to fifteen seconds. Most complete in under ten. Deep scan adds 20–30 seconds for the subdomain enumeration step.
Can my coding agent use vibecheck?
Yes. The agent skill manifest at /skill.md is a self-contained instruction document an agent can ingest to know how to invoke vibecheck. Free tier scan via POST /api/scan; paid tier (deep scan) via Authorization: Bearer header. There is also an MCP endpoint at /api/mcp for clients that speak the Model Context Protocol.
Are inspection results stored?
The full scan report is not persisted. We do persist a single anonymized summary row per finding for the public findings feed at /api/feed: rule name, severity, platform shape (e.g. *.pages.dev), timestamp. URLs, host names, and any sampled body content are never stored. Rows expire after 14 days.
Which platforms does vibecheck cover?
Supabase, Firebase (Realtime DB / Firestore / Storage), Convex, Appwrite, Pocketbase, plus 60+ generic secret patterns. The scanner works for any AI-generated app — Lovable, Bolt.new, v0, Replit Agent, Windsurf — or hand-written code.
Does it fix what it finds?
It generates suggested Row-Level Security policy SQL based on the observed schema. Six pattern templates: per-user ownership, owner plus visibility, tenant-scoped, profile pattern, public-read-only, deny-all fallback. You apply the SQL. We never write to your database.