VibeCheck Security
Sign in
LLM-powered static analysis

You vibe-coded it. Now security-check it.

Connect your GitHub repo and get a plain-English audit of the security issues AI-generated apps often miss — exposed secrets, vulnerable packages, missing auth, injection risks, and framework mistakes.

Sign in with GitHubSee how it works

Code is cloned ephemerally and discarded after each scan. You bring your own Anthropic API key — see the cost caps below.

Coverage

What we look for

Two off-the-shelf scanners run for free; an extensible library of LLM-powered review skills handles the judgment calls. New skills land as Markdown files, so coverage grows over time.

Secrets in code

TOOL

Tokens, keys, and credentials in the working tree.

Vulnerable dependencies

TOOL

Known CVEs across npm, PyPI, Go, RubyGems, and more.

Authorization patterns

LLM

Missing checks, IDOR risks, inconsistent middleware.

SQL injection

LLM

Unsafe interpolation, raw escape hatches, dynamic identifiers.

Cross-site scripting

LLM

dangerouslySetInnerHTML, unescaped template sinks, URL handlers.

Server-side request forgery

LLM

Outbound calls with user-controlled URLs and metadata exposure.

Path traversal

LLM

Filesystem reads/writes derived from request input.

JWT handling

LLM

Algorithm pinning, expiration, audience and issuer checks.

Cryptography misuse

LLM

Algorithm selection, IV reuse, weak RNG, password hashing.

Dangerous deserialization

LLM

eval, unsafe YAML, prototype pollution, XML entities.

Express security review

LLM

Middleware ordering, CORS, body limits, security headers.

Next.js security review

LLM

Server-action auth, route handlers, server-only secrets.

How it works

From repo to report in three steps

1

Connect GitHub

Sign in once. We use your OAuth token to clone the repo we're scanning, nothing else.

2

Pick a depth

Quick, Standard, or Deep. Each has a hard cost cap so you always know the upper bound.

3

Read the report

See exactly which skills ran, where each one looked, what looks good, and what's at risk — with file and line references.

Cost

You set the budget. Hard caps included.

Costs are charged to your own Anthropic API key. Each scan stops cleanly when the cap is hit, with whatever findings it had so far — no surprise bills.

Quick

Fast triage — top 3 most-relevant skills, shallow investigation. Good for a first look.

$0.50hard cap per scan

Typical ~$0.10 – $0.50

  • Up to 3 most-relevant skills
  • 8 turns per skill
  • Stop button at any time
  • Per-skill cost transparency

Standard

RECOMMENDED

All matching skills at normal depth. Recommended for most scans.

$2.00hard cap per scan

Typical ~$0.50 – $2.00

  • All matching skills
  • 15 turns per skill
  • Stop button at any time
  • Per-skill cost transparency

Deep

All matching skills with extra headroom for re-reads and deeper investigation.

$8.00hard cap per scan

Typical ~$2 – $8

  • All matching skills
  • 25 turns per skill
  • Stop button at any time
  • Per-skill cost transparency

Ready to scan?

One click, then pick a repo. The first scan can be done before your coffee gets cold.

Sign in with GitHub