Skip to main content
VibeAudit

The Bestiary

Meet the 10 Launch Gremlins.

Every gremlin is a real failure mode that AI-built apps ship with - named, because "Supabase RLS Roulette" is easier to remember than a CWE number, and naming the thing you're afraid of makes it smaller. Each card links to the full entry: what it is, the exact check to run yourself, and what fixed looks like.

high

Stripe Cosplay

"Trust me, the money's fine."

Payment flow not verified server-side

Full entry
high

Agent With a Weapon

"You gave me tools AND went to brunch?"

AI agent tool-execution with no boundaries

Full entry
critical

Supabase RLS Roulette

"Row-level security? I feel lucky."

Row-level security off / misconfigured

Full entry
high

Public Bucket Jump Scare

"SURPRISE - it was public the whole time."

Public storage bucket / listable files

Full entry
high

Auth Middleware Missing Person

"Protected by hope."

Auth gate on UI but not the API route

Full entry
critical

Frontend Key Confessional

"Forgive me, I committed the API key."

Secret key shipped in the client bundle

Full entry
high

Prompt Injection Welcome Mat

"Ignore previous instructions - come on in."

LLM/tool path with no injection boundary

Full entry
medium

Dependency Time Bomb

"I was clean when you met me."

Dependency that goes known-bad after ship

Full entry
medium

CORS Free-For-All

"Everyone's on the list tonight."

Wildcard / permissive CORS on sensitive routes

Full entry
critical

Client-Side Admin Fantasy

"I made myself admin in DevTools."

Privilege enforced client-side, not server-side

Full entry

Which gremlins are squatting in your app?

The free Thorough Scan checks your live URL for these categories and hands back severity counts plus a shareable result card. No code upload - your source never leaves your machine.