A pre-launch security audit you run in your own AI coding session. For apps built with Lovable, Bolt, Cursor, v0, or Replit. Tool-agnostic. No SaaS, no scanner backend, no source upload. You drop the kit into your project, paste a prompt, and your AI walks through 25 findings, writes a report, and offers to apply fixes.
BUY ON GUMROAD · $99THE GAP
Carnegie Mellon's SusVibes study tested AI coding tools across hundreds of generation tasks. 61% of the output was functionally correct. 10.5% was secure. Escape.tech scanned 5,600 vibe-coded apps and found 2,000+ vulnerabilities and 400+ exposed secrets.
CVE-2025-48757, disclosed in May 2025, found 170 Lovable apps with Supabase tables readable by unauthenticated requests — roughly 13,000 users' data exposed across them.
WHAT YOU GET
security/REPORT.md in your repo.THE 25 FINDINGS
Critical (fix before deploying): RLS gaps, unprotected API routes, committed secrets, broken access control, secret API keys in frontend code.
High (fix within 24 hours): SSRF, missing CSRF, wildcard CORS, SQL injection, XSS, unverified Stripe webhooks, hallucinated packages, AI service key exposure with uncapped cost, prompt injection, missing per-feature AI budgets.
Medium (fix within a week): missing rate limiting, missing security headers, insecure file uploads, weak password hashing, GDPR right-to-erasure not implemented, no backup strategy or untested restore, PII in logs and missing audit trail.
Low (fix when convenient): verbose error messages, outdated dependencies with CVEs, environment configuration drift.
Eight of the 25 are original to this kit. The other 17 build on the MIT-licensed public foundations from benavlabs/vibe-check and LadyKerr/Vibe-Security-Skill, with attribution maintained.
WHO THIS IS FOR
Who it isn't for: companies with regulated data and real penetration-test budgets — this is a starting point, not a substitute. And apps that don't use AI coding tools at all: the patterns still apply, but you're getting the catalog without the AI-coding-specific angle that justifies the price.
PRICING
12 months of updates included. 30-day refund window.
QUESTIONS
How is this different from the free GitHub repos?
The foundation overlaps with benavlabs/vibe-check (17 findings, MIT-attributed). Beyond that: eight findings original to this kit, five deeply researched platform supplements with CVE citations, packaged rules file plus audit checklist procedure, 12 months of updates. Roughly 75% of what you read is original; the rest is curated public material with attribution kept.
Does anything get uploaded?
No. The kit is a set of markdown files your AI reads alongside your code. Everything runs in your own AI session. Source code never leaves your machine.
Which AI coding tools does it work with?
Any tool that reads a project rules file at root. Tested with Claude Code, Cursor, GitHub Copilot agent mode, Windsurf, Continue, and Gemini CLI. Both CLAUDE.md and AGENTS.md ship in the bundle with identical content.
What's the refund policy?
30 days, no questions asked, through the original Gumroad purchase.
30 DAY REFUND NO SUBSCRIPTION 12 MONTHS UPDATES