Your AI wrote the code. Did it ship the vulnerabilities too?
vibecheck reads an AI-built store the way a security reviewer would — deterministically, in seconds — and grades it. Hardcoded keys, unauthenticated admin routes, checkout that trusts client prices. 26 checks, a letter grade, the exact file:line and the fix.
npx @mntglobal/vibecheck ./your-store$ npx @mntglobal/vibecheck ./storeF 40/100 · 2 files · 34ms2 critical · 3 high · 2 lowCRITICAL Hardcoded Stripe secret key [SEC-01]server.js:15 const PAYMENT_API_KEY = "sk_live_…"CRITICAL Code built with new Function() from input [INJ-01]server.js:48HIGH Admin route /admin/orders has no auth [AUTH-01]server.js:62HIGH Order quantity used in pricing without validation [COM-02]server.js:80 const total = prod.price * qtyLOW Internal error detail returned to the client [PROD-03]→ the same store, hardened: A 94/100.
26 checks. 8 categories. One honest grade.
The same AI that wrote your store shipped the bug — so asking it to grade its own work isn't trustworthy. vibecheck is the independent, commerce-tuned second opinion, tuned for the failure modes AI codegen actually ships.
Secrets & credentials
Hardcoded provider keys, committed .env files, private keys & DB URIs, secrets shipped to the browser via NEXT_PUBLIC_ vars.
Injection & RCE
eval / new Function from input, string-built SQL, command injection, prototype pollution — the classic AI-slop footguns.
Access control
Sensitive routes with no authentication, permissive CORS with credentials, hardcoded / default admin tokens.
Commerce logic — the wedge
Checkout that trusts a client-sent price, unvalidated quantity (buy −5, get a refund), coupons applied without server validation. No generic scanner checks this.
Web exposure
Unsanitized dangerouslySetInnerHTML / innerHTML, SSRF on user-supplied URLs, path traversal into the filesystem.
Performance & scale
Synchronous I/O on the request path, re-reading the whole database per request, N+1 queries — demos fine, dies at real traffic.
Dependencies
Known-vulnerable npm packages via the OSV database (with the fixed version), missing helmet / CSP security headers.
Production hardening
No rate limiting, internal errors leaked to clients, secrets written to logs, no test suite.
From F 40 to A 94 — with the receipts.
vibecheck was born from our AI Cleanup Lab, where a deliberately vibe-coded store went from 5/5 live exploits landing to 0/5 after a rebuild. Every finding quotes your actual code, so it's reproducible by anyone with npx.
- Live Stripe key hardcoded in the source
- /admin/orders leaks emails + card digits, no auth
- Checkout accepts a negative quantity
- Search box runs attacker code via new Function()
- Secrets in env vars, never returned to clients
- Admin routes behind a bearer-token check
- Quantity validated as an integer, 1–99
- Safe substring search, HTML-escaped output
One command. No install, no config.
vibecheck runs straight from npx on any machine with Node 20+. It reads your source locally — nothing is uploaded, nothing is stored.
Scan a folder on your machine
Point it at any project directory — no install step, no sign-up.
npx @mntglobal/vibecheck ./your-store
Scan any GitHub repo
vibecheck reads local source, not a URL. Clone the repo first, then scan the folder.
git clone https://github.com/you/store.git cd store npx @mntglobal/vibecheck .
Go deeper, or share the result
Add a flag for flow-tier checks, a shareable card, or a CI gate.
--experimentalAlso run flow-tier checks and look up dependency CVEs (OSV).--html report.htmlWrite a self-contained, shareable HTML report card.--ci --min-grade BExit non-zero below the grade — gate your pipeline.--sarif out.sarifSARIF 2.1.0 — upload to GitHub's code-scanning tab.--mdMarkdown summary, ideal for a PR comment.--jsonMachine-readable JSON to stdout for your own tooling.--offlineSkip the one network call (the CVE lookup) entirely.Full flag reference and the check catalog live on GitHub.
Run it anywhere. Fail the PR that regresses.
One deterministic engine, every surface — from a quick local scan to a gated pull request with findings annotated inline.
Terminal & JSON
A graded report with evidence and fixes, or machine-readable JSON for your own tooling.
SARIF → code scanning
Upload to GitHub's Security tab and see every finding annotated inline on the exact line.
GitHub Action
One line in your workflow: posts a PR summary comment, uploads SARIF, fails the check below a grade.
Shareable report card
A self-contained HTML card of the grade and findings — great in a screenshot or a Slack message.
- uses: MnT-Global/[email protected] with: min-grade: B
Posts a PR comment, uploads to code scanning, gates on grade — Action docs
vibecheck finds the holes. We close them.
Run the scan, then bring the report to a free architecture workshop — a senior engineer maps every finding to a concrete fix: auth, validation, secrets, the load pathology, the lot. That's our AI Cleanup service.
Part of MnT's open-source program — see all our agentic-commerce tooling
