Skip to main content
VibeAudit

VibeCode Liability Index

Named failure modes of AI-built apps.

Named failure modes of AI-built apps, mapped to severity and fix order. Each entry describes the recurring launch risk, the surface it appears on, and the evidence VibeAudit can check without pretending unsupported areas are verified.

criticalFix 1

AI Coding-Agent Worm Static Indicators

Static repository evidence matched AI coding-agent worm patterns such as editor/agent auto-run config, secret-dump workflows, or GitHub/npm/cloud credential-harvesting code.

Read failure mode
criticalFix 1

Client-Side Admin Fantasy

Admin or privileged flows appear to be enforced from client-side state or UI branches rather than server-side authorization.

Read failure mode
criticalFix 1

Command Injection Shell Game

User-controlled input appears to reach a shell execution sink without allowlist or argv-array evidence.

Read failure mode
criticalFix 1

Committed Secrets Exposure

Git history scanner evidence indicates that secret material was committed to repository history.

Read failure mode
criticalFix 1

Frontend Key Confessional

A browser-facing file or public environment surface appears capable of exposing private tokens, service keys, or operational secrets.

Read failure mode
highFix 1

IDOR Object Ownership Gap

Resource identifiers appear to drive object access without nearby owner or tenant predicate evidence.

Read failure mode
criticalFix 1

Known Malicious Dependency

A dependency version matched a known malicious, compromised, or campaign-flagged package in the supplied public advisory feeds.

Read failure mode
criticalFix 1

SQL Injection Slipstream

User-controlled input appears to reach raw or dynamically composed SQL execution without parameterization evidence.

Read failure mode
highFix 1

Weak Password Hashing

Password creation or verification code appears to use a fast general-purpose hash instead of a password storage KDF.

Read failure mode
highFix 2

Auth Middleware Missing Person

Auth dependencies or routes are visible, but middleware or server-side gate proof is not obvious in the digest.

Read failure mode
highFix 2

Known Vulnerable Dependency

A dependency version matched a known vulnerability advisory in the supplied public advisory feeds.

Read failure mode
highFix 2

Path Traversal File Escape

User-controlled paths or filenames appear to reach filesystem access without base-directory containment evidence.

Read failure mode
highFix 2

SSRF Open Proxy

URL-like user input appears to reach a server-side HTTP request without host/protocol allowlist evidence.

Read failure mode
criticalFix 2

Supabase RLS Roulette

Supabase or database access is present without enough proof of row-level security, policy tests, or private server mediation.

Read failure mode
highFix 2

XSS Output Escape Hatch

Raw HTML rendering appears without sanitizer evidence.

Read failure mode
highFix 3

Database Door Left Open

Database clients or schema files are present without enough visible proof of least-privilege access or migration discipline.

Read failure mode
highFix 3

Stripe Cosplay

Payment code exists, but the repository does not prove a complete checkout, webhook verification, and entitlement path.

Read failure mode
highFix 3

Webhook Trust Fall

Webhook paths appear present without visible signature verification or idempotency proof.

Read failure mode
highFix 4

Agent With a Weapon

Agent or tool-execution paths are present without enough proof of sandboxing, scoped permissions, and prompt-injection boundaries.

Read failure mode
highFix 4

Prompt Injection Welcome Mat

LLM input, retrieval, or tool paths are present without visible prompt-injection tests or policy boundaries.

Read failure mode
highFix 5

File Upload Roulette

File upload or storage flows are present without enough visible proof of size, type, malware, or path controls.

Read failure mode
highFix 5

Public Bucket Jump Scare

Storage/bucket code or naming suggests public object exposure may exist without proof of private access controls.

Read failure mode
mediumFix 6

Dependency Time Bomb

Dependencies are present without enough proof of lockfile hygiene, audit status, or update discipline.

Read failure mode
mediumFix 7

CORS Free-For-All

API surfaces exist without visible proof of restrictive CORS, security headers, or production header policy.

Read failure mode
mediumFix 7

Rate Limit Missing Person

Public API or auth endpoints are present without visible rate-limit or abuse-control proof.

Read failure mode
mediumFix 8

Public Source Map Confessional

Source map artifacts or production source map settings may expose implementation details after deployment.

Read failure mode
mediumFix 8

Security Header Paper Shield

Deployment header configuration lacks one or more baseline browser security headers.

Read failure mode

Run Quick Scan to see the public diagnosis layer for a checked external scope. Private findings and remediation order stay gated to paid reports.

Run Quick Scan