MnT — Magizh NexGen Technologies
Open source · Live on npm

Your AI wrote the code. Did it ship the vulnerabilities too?

vibecheck reads an AI-built store the way a security reviewer would — deterministically, in seconds — and grades it. Hardcoded keys, unauthenticated admin routes, checkout that trusts client prices. 26 checks, a letter grade, the exact file:line and the fix.

npx @mntglobal/vibecheck ./your-store
$ npx @mntglobal/vibecheck ./store
F 40/100 · 2 files · 34ms
2 critical · 3 high · 2 low
CRITICAL Hardcoded Stripe secret key [SEC-01]
server.js:15 const PAYMENT_API_KEY = "sk_live_…"
CRITICAL Code built with new Function() from input [INJ-01]
server.js:48
HIGH Admin route /admin/orders has no auth [AUTH-01]
server.js:62
HIGH Order quantity used in pricing without validation [COM-02]
server.js:80 const total = prod.price * qty
LOW Internal error detail returned to the client [PROD-03]
→ the same store, hardened: A 94/100.
Deterministic — no AI, no API key. Same code = same grade. Your code never leaves your machine. Open source (MIT) — audit every check on GitHub.
What it checks

26 checks. 8 categories. One honest grade.

The same AI that wrote your store shipped the bug — so asking it to grade its own work isn't trustworthy. vibecheck is the independent, commerce-tuned second opinion, tuned for the failure modes AI codegen actually ships.

Secrets & credentials

Hardcoded provider keys, committed .env files, private keys & DB URIs, secrets shipped to the browser via NEXT_PUBLIC_ vars.

Injection & RCE

eval / new Function from input, string-built SQL, command injection, prototype pollution — the classic AI-slop footguns.

Access control

Sensitive routes with no authentication, permissive CORS with credentials, hardcoded / default admin tokens.

Commerce logic — the wedge

Checkout that trusts a client-sent price, unvalidated quantity (buy −5, get a refund), coupons applied without server validation. No generic scanner checks this.

Web exposure

Unsanitized dangerouslySetInnerHTML / innerHTML, SSRF on user-supplied URLs, path traversal into the filesystem.

Performance & scale

Synchronous I/O on the request path, re-reading the whole database per request, N+1 queries — demos fine, dies at real traffic.

Dependencies

Known-vulnerable npm packages via the OSV database (with the fixed version), missing helmet / CSP security headers.

Production hardening

No rate limiting, internal errors leaked to clients, secrets written to logs, no test suite.

Prove it

From F 40 to A 94 — with the receipts.

vibecheck was born from our AI Cleanup Lab, where a deliberately vibe-coded store went from 5/5 live exploits landing to 0/5 after a rebuild. Every finding quotes your actual code, so it's reproducible by anyone with npx.

before · F 40/100
  • Live Stripe key hardcoded in the source
  • /admin/orders leaks emails + card digits, no auth
  • Checkout accepts a negative quantity
  • Search box runs attacker code via new Function()
after · A 94/100
  • Secrets in env vars, never returned to clients
  • Admin routes behind a bearer-token check
  • Quantity validated as an integer, 1–99
  • Safe substring search, HTML-escaped output
Get started

One command. No install, no config.

vibecheck runs straight from npx on any machine with Node 20+. It reads your source locally — nothing is uploaded, nothing is stored.

1

Scan a folder on your machine

Point it at any project directory — no install step, no sign-up.

npx @mntglobal/vibecheck ./your-store
2

Scan any GitHub repo

vibecheck reads local source, not a URL. Clone the repo first, then scan the folder.

git clone https://github.com/you/store.git
cd store
npx @mntglobal/vibecheck .
3

Go deeper, or share the result

Add a flag for flow-tier checks, a shareable card, or a CI gate.

--experimentalAlso run flow-tier checks and look up dependency CVEs (OSV).
--html report.htmlWrite a self-contained, shareable HTML report card.
--ci --min-grade BExit non-zero below the grade — gate your pipeline.
--sarif out.sarifSARIF 2.1.0 — upload to GitHub's code-scanning tab.
--mdMarkdown summary, ideal for a PR comment.
--jsonMachine-readable JSON to stdout for your own tooling.
--offlineSkip the one network call (the CVE lookup) entirely.

Full flag reference and the check catalog live on GitHub.

Fits your workflow

Run it anywhere. Fail the PR that regresses.

One deterministic engine, every surface — from a quick local scan to a gated pull request with findings annotated inline.

Terminal & JSON

A graded report with evidence and fixes, or machine-readable JSON for your own tooling.

SARIF → code scanning

Upload to GitHub's Security tab and see every finding annotated inline on the exact line.

GitHub Action

One line in your workflow: posts a PR summary comment, uploads SARIF, fails the check below a grade.

Shareable report card

A self-contained HTML card of the grade and findings — great in a screenshot or a Slack message.

.github/workflows/vibecheck.yml
- uses: MnT-Global/[email protected]
  with:
    min-grade: B

Posts a PR comment, uploads to code scanning, gates on grade — Action docs

From scan to fix

vibecheck finds the holes. We close them.

Run the scan, then bring the report to a free architecture workshop — a senior engineer maps every finding to a concrete fix: auth, validation, secrets, the load pathology, the lot. That's our AI Cleanup service.

Part of MnT's open-source program — see all our agentic-commerce tooling