Pre-ship · Cursor · Bolt · Lovable

Scan AI-built apps
before they ship.

A focused security pass for the apps you generated in Cursor, Bolt, or Lovable. Public-surface checks, exposure scans, and agent-config audits — delivered as one report.

Start $5 Launch Check See demo report ↗

vcg-scan · https://app.example.com LIVE SCAN

01crit

02high

02med

01low

CSP-001high

Missing Content-Security-Policy

headers

EXP-014crit

.env exposed at /.env

exposure

HDR-007med

X-Frame-Options absent

headers

COR-002high

Wildcard CORS origin allowed

cors

TLS-018low

TLS 1.0 still negotiable

tls

AGT-009med

Clawdbot manifest leaked

agent

48 checks across

HeadersExposed filesCORS postureTLS / SSLCookiesTech fingerprintAgent configInjection probes

> the failure modes

AI writes code fast. Production still needs a security pass.

01crit

Hardcoded secrets

Exposed API keys, passwords, unsafe eval patterns, and missing validation that AI tools generate by default.

EXP-014EXP-022SEC-101

02high

Injection probes

Safe SQL injection, XSS, open-redirect, and rate-limit probes. SOC 2 readiness classification and WCAG 2.2 signals in Deep tier.

INJ-007XSS-101RED-019

03med

Misconfigurations

Security headers, exposed files, SSL posture, tech fingerprints, and Clawdbot or AI-agent configuration leaks.

CSP-001HDR-007AGT-009

> how it works

Paste a URL.
Ship with evidence.

No source-code access required. VibeCodeGuard scans the public URL you submit — staging or production — and returns a structured report with severity, evidence, and fix suggestions.

01SubmitPaste staging or production URL. Pick a tier.

02ScanPassive surface, then safe active probes. 24–48 checks.

03ReportSeverity-ranked findings, evidence, PDF, share link.

~/vibecodeguard — zsh

$vcg scan https://app.example.com --tier deep

→ resolving target · TLS 1.3 · 200 OK

→ passive surface · 14 checks

! CSP-001 missing Content-Security-Policy

✕ EXP-014 /.env returns 200 with secrets

! COR-002 Access-Control-Allow-Origin: *

→ active probes · safe-mode · 10 checks

✓ XSS-101 reflected XSS not detected

! AGT-009 agent manifest exposed at /.well-known

scan complete · 1 crit · 2 high · 2 med · 1 low · 1.42s

> pricing

Pay per pre-ship scan.

Launch Check is $5 during the launch offer. Advanced tiers are Available Soon.

Launch Check

Most starters

LAUNCH OFFER

$9$5launch offer per scan

Security headers audit
Exposed file checks
Browser / cookie / CORS posture
Report with fix suggestions

Start Launch Check

Deep Ship Review

Active checks

Available Soon

Everything in Launch Check
Safe active injection + redirect probes
API and request-handling checks
SOC 2 readiness evidence map
WCAG 2.2 accessibility signals

Agent/MCP Deep

For agent surfaces

Available Soon

Everything in Deep Ship Review
OpenClaw, Hermes, Clawdbot, MCP posture
Tool exposure and sensitive-action controls
Prompt-injection signals

Ready for a pre-ship scan?

Run a focused public-surface check before you share your Cursor, Bolt, or Lovable app with users.

Start $5 Launch Check

Scan AI-built appsbefore they ship.