VibeGuard

A browser extension that detects vibe-coded apps at runtime, flags client-side credential leaks and platform-specific vulnerability patterns, and warns you before you hand over personal data.

Problem

Millions of web apps shipped in 2026 were built entirely by AI coding tools — Lovable, Bolt, v0, Replit — by founders with no security training. Q1 2026 research confirms that 91.5% of vibe-coded apps have at least one exploitable vulnerability. In February 2026, a Lovable-built educational app exposed 18,000 users — including students at UC Berkeley and UC Davis — by shipping with row-level security disabled and full database write access available to anyone who opened the network tab. Every security scanner built around this problem targets the developer before deploy. Users who land on one of these apps today see a polished landing page and have no signal that the backend was shipped in a weekend without a single security review.

Target user

Privacy-conscious consumers who regularly sign up for new apps, indie tools, and AI-powered SaaS products. Job-to-be-done: "Before I enter my email, create an account, or add a payment method, tell me if this site has obvious signs of being insecure." Secondary: security-aware professionals and IT admins who want to understand what their team members are exposing data to.

MVP scope

• Detect vibe-coding platform fingerprints in page source: Lovable meta tags, Bolt bundle patterns, v0 generator headers, Replit deployment markers, and common AI-scaffolded framework signatures.
• Scan visible client-side JavaScript for credential misconfigurations: Supabase service_role key exposure (as opposed to the safe anon key), unauthenticated REST endpoint patterns, and missing CORS restrictions detectable from response headers.
• Show a non-intrusive badge per page: "AI-scaffolded app detected · platform: Lovable · known risk class: RLS bypass (CVE-2025-48757)" with a one-click expand for what that means in plain English.
• Before a form submission collecting email, password, or payment fields, show a one-line warning overlay if the page is flagged — dismissible with one click, no blocking.
• Community threat feed: users can submit confirmed breach reports for a site slug; five independent reports promote a site to "known incident" status in the shared database.
• Manifest V3, content scripts scoped to detected-app pages only, zero telemetry in the free tier.

Monetization

Freemium. Free tier covers platform detection, the credential scan, the submission warning, and community flag viewing on any device. VibeGuard Pro at $4/month adds continuous background monitoring of saved apps (alerts if a previously safe site starts matching new risk patterns after an update), the full community incident database with breach details, and a one-click data-deletion request generator addressed to the app's privacy contact. B2B: security teams can deploy VibeGuard through managed Chrome policy at $3/seat/month to enforce a warning-before-data-entry rule across their fleet — specifically targeting shadow-IT apps employees find and use without IT vetting.

Why now

Three things converged in the first half of 2026. First, SoftwareSeni's Q1 2026 aggregate study quantified that 91.5% of vibe-coded apps carry exploitable flaws — up from theoretical concern to documented reality across tens of thousands of apps. Second, the February 2026 Lovable breach (The Register, February 27, 2026) was concrete and undeniable: a single AI-built educational app leaked 18,000 users' data with no attacker sophistication required, just the browser's network tab. Third, the vibe-coding ecosystem hit mainstream in 2026: Lovable passed one million published apps in Q1, Bolt and v0 are now embedded in enterprise design workflows, and Replit's agent deploys straight to production. The developer-side scanning tools (VibeCheck, SafeVibe, Aikido) exist and work, but they require the developer to run them — a gate that the most dangerous vibe-coded apps never pass through. VibeGuard is the first line of defense on the other side of the deployment: the user's browser.

Risks & open questions

• Detection accuracy: fingerprinting vibe-coding platforms from the outside is heuristic — Bolt and v0 apps that are ejected to standard Next.js lose their scaffolding signatures quickly; false negatives are the bigger risk here since false positives (flagging a well-built app) will cause uninstalls.
• Client-side credential scanning is limited to what is visible in page source and the JavaScript bundle; a dev who moved secrets server-side won't be caught, and VibeGuard must never claim to be a full security audit.
• Lovable, Bolt, and v0 may add obfuscation or change bundle signatures in response to detection tools, requiring ongoing maintenance of the fingerprint database.
• Legal gray area: showing "known risk" badges next to specific platforms could attract takedown pressure; framing must be statistical ("apps built with X have a documented 10.3% critical RLS failure rate") not defamatory ("X is insecure").
• Demand-side risk: most users sign up for apps without reading anything — will a one-line warning actually change behavior, or is this a tool only security-conscious users install and those users were already cautious?

Next step

Build a proof-of-concept that fingerprints Lovable apps accurately on 50 Lovable showcase URLs, then test the credential scan against the February 2026 breach app's still-accessible endpoint patterns. If fingerprint accuracy exceeds 90% with under 2% false-positive rate on non-Lovable apps, promote to weekly prototype.

Sources

• https://www.softwareseni.com/91-5-percent-of-vibe-coded-apps-have-vulnerabilities-and-what-the-q1-2026-research-actually-shows/ — Q1 2026 aggregate research showing 91.5% of vibe-coded apps have exploitable vulnerabilities; AI-generated code produces flaws at 2.74x the rate of human-written code
• https://blog.rankiteo.com/mussup1772216763-supabase-lovable-vulnerability-february-2026/ — February 2026 Lovable breach report: 18,000 users exposed including students at UC Berkeley and UC Davis, 14,928 email addresses and 870 full PII records compromised via disabled RLS
• https://www.superblocks.com/blog/lovable-vulnerabilities — CVE-2025-48757 analysis: 10.3% of Lovable showcase apps had critical RLS failures (170 of 1,645 scanned), granting full production database access via exposed Supabase anon key