Security for apps built with AI{ free 15-second vibe check }

AI built your app. Is it leaking secrets?

Paste your live URL. Fifteen seconds later you know every key, file and header your app is exposing — with a plain-English fix for each one.

OpzyAI - Finds what your AI-built app leaks — your editor fixes it | Product Hunt
No account, no card Score in ~15 seconds We only read what’s public
Watch it work

This is the whole product.

A scan reads only what your site already shows every visitor — and tells you whether you’d survive someone less friendly finding it first. Leaky apps fail loudly. Clean apps get a badge.

opzyai · live scanpassive · reads only what's public

$ opzyai scan myapp.vercel.app

CRITICALStripe secret key in client bundle
HIGH.env reachable on production
LOWMissing Content-Security-Policy
49/100

● not safe to ship — fix the critical first

Under the hood — the scanners security pros already trust

nucleiOSV.devSemgrepTrivygitleaksHTTP/header checksnucleiOSV.devSemgrepTrivygitleaksHTTP/header checksnucleiOSV.devSemgrepTrivygitleaksHTTP/header checksnucleiOSV.devSemgrepTrivygitleaksHTTP/header checksnucleiOSV.devSemgrepTrivygitleaksHTTP/header checksnucleiOSV.devSemgrepTrivygitleaksHTTP/header checksnucleiOSV.devSemgrepTrivygitleaksHTTP/header checksnucleiOSV.devSemgrepTrivygitleaksHTTP/header checksnucleiOSV.devSemgrepTrivygitleaksHTTP/header checksnucleiOSV.devSemgrepTrivygitleaksHTTP/header checks
The catch with shipping fast

What AI coding tools quietly leave behind

Vibe-coding gets you to launch in a weekend. It also leaves a trail of security holes that nobody on the team is checking for — because there is no security team.

01

Keys in the browser

OpenAI, Anthropic and Stripe keys hardcoded into your client bundle — shipped to every visitor who opens dev tools.

02

A wide-open database

Exposed Supabase service-role keys, or tables with no row-level security — your users’ data, readable by anyone.

03

Exposed source & config

Public .env files, source maps and .git folders that hand attackers your code and credentials.

04

Unguarded endpoints

API routes with no auth check — anyone can call them, read other users’ data, or run up your AI bill.

05

Missing security headers

No CSP, permissive CORS, leaky cookies — the defaults your AI editor never set for you.

06

Secrets in git history

That key you rotated is still sitting in an old commit. Connect your repo and we’ll find it.

You can’t fix what you can’t see. Run a free Vibe Check →

How it works

From URL to fix in four steps

No setup, no security degree. Paste a link and you’re reading real findings within seconds.

  1. 01

    Paste your URL

    No account, no install, no credit card. Just the link to your live app.

  2. 02

    We probe what’s public

    OpzyAI looks at your app the way an attacker would — the JS bundle, headers, exposed files and endpoints.

  3. 03

    Get a Launch Readiness score

    A 0–100 score and a plain-English list of what’s exposed — ranked by how much it actually matters.

  4. 04

    Fix it in minutes

    Each finding ships with a paste-ready fix — or connect your repo and let OpzyAI hand the fix straight to your AI editor over MCP to apply.

See what you’re exposing

Exactly what’s leaking, in plain English

No CVE soup. Every finding tells you what’s exposed, why it matters, and what an attacker could actually do with it — in language you can act on without a security background.

  • Ranked by real-world impact, not raw severity
  • Plain-English explanations, zero jargon
  • A shareable Launch Readiness score
opzyai / findings
0 findings
ranked by exploitability
live
  • CRITICALSQL injectionsemgrep
  • HIGHHardcoded AWS access keygitleaks
  • HIGHVulnerable lodash 4.17.4trivy
  • MEDIUMMissing security headersweb-http
  • LOWVerbose error disclosurenuclei
auto-triaged · de-duped across tools3 new since last deploy
Fix, don’t just flag

Fixes your AI editor applies for you

Connect OpzyAI to Cursor or Claude Code over MCP and ask for fixes. It hands your agent the exact change to apply — a precise package.json bump for a vulnerable dependency, or a step-by-step rotation runbook for a leaked key — right in the editor you’re already in.

  • Exact dependency-upgrade edits, checked against your real package.json
  • Provider-specific secret-rotation runbooks — AWS, Stripe, Supabase and more
  • Applied in your editor — OpzyAI never changes your repo
opzyai / finding · remediation
HIGHHardcoded AWS access key fix ready
// config/aws.ts
-const key = "AKIA3F9…Q7"
+const key = process.env.AWS_ACCESS_KEY
compliance evidence · always current
SOC 2 ISO 27001 GDPR OWASP
open risk ↓ trending down
Safe by construction

We can only scan what you own

The free Vibe Check only reads what your site already shows the public. Go deeper, and OpzyAI re-verifies you own the target on every run — there is no override path in the code.

  • Public scan touches only what’s already public
  • Ownership re-verified before every deep scan
  • Your code is cloned to a throwaway sandbox, then deleted
opzyai / scope guard
app.acme.com
verified
ownership re-verified on every run — no exceptions
  • Ownership verifiedre-checked 2m ago
  • Authorization signedowner@acme.com
  • Tenant isolationrow-level (RLS)
  • No override pathenforced in architecture
audit log · append-only
10:02:14 scan.authorized owner=verified
10:02:14 scope.locked sha256 0x9f3a…
10:02:15 run.started app.acme.com
Why you can leave it on

The free Vibe Check only ever reads what your app already shows the public. Go deeper, and nothing runs against a target until you’ve proven you own it. Not a setting you toggle a guarantee built into the architecture.

15s
typical time from URL to a Launch Readiness score
€0
to run a Vibe Check — no account, no credit card
4
AI builders it speaks to: Cursor, Lovable, v0, Bolt
0
targets ever scanned without proven ownership
Questions

The short version

Straight answers on what the Vibe Check finds, how it stays safe, and what it costs.

What is the OpzyAI Vibe Check?

The Vibe Check is a free, no-account security scan for apps built with AI tools like Cursor, Lovable, v0 and Bolt. Paste your live URL and OpzyAI checks what your app exposes to the public — leaked API keys, exposed .env and source files, missing security headers — then returns a 0–100 Launch Readiness score with plain-English fixes in about 15 seconds.

What kinds of problems does it catch?

The common mistakes AI coding tools ship: API keys hardcoded into the client bundle (OpenAI, Anthropic, Stripe), exposed Supabase service-role keys or tables with no row-level security, public .env / .git / source-map files, unauthenticated API routes, and missing security headers. Connect your repo for the deep scan to also catch secrets in git history, dependency CVEs, and code-level bugs.

Is it safe to scan my app? Will it break anything?

Yes. The free Vibe Check is passive — it only reads what your site already shows the public, the same way a visitor’s browser does. Nothing is exploited or changed. For deeper repo and dynamic scans, OpzyAI re-verifies you own the target on every run; there is no override path in the code, so it can never test something you have not proven you control.

Do I need to be a security expert?

No. Every finding is written in plain English — what is exposed, why it matters, and a fix you can paste straight back into Cursor or your AI editor. No CVE jargon and no security background required.

Does OpzyAI fix the issues, or just find them?

Both. Every finding comes with a plain-English fix, and if you connect OpzyAI to Cursor or Claude Code over MCP you can ask it to propose fixes — it hands your AI editor the exact change to apply: a precise package.json upgrade for a vulnerable dependency, checked against your real manifest, or a step-by-step rotation runbook for a leaked key. You review and apply it in your editor; OpzyAI never changes your repo on its own.

How is this different from GitHub or my AI tool’s built-in checks?

GitHub and your editor catch some issues in your code, but they do not look at your live, deployed app the way an attacker does — the actual JS bundle in the browser, exposed files, and unguarded endpoints. OpzyAI scans the running app first (no setup), then optionally your repo, and ranks everything by real-world impact.

How much does it cost?

The Vibe Check is free, forever — no account and no credit card. Paid plans add continuous monitoring, full repo deep scans, and automatic re-scans so you stay covered as you keep shipping. See the pricing page for details.

See what your app is leaking — free.

Paste your URL, get a Launch Readiness score in seconds, and a fix for everything we find. No account required.