In early March I scanned 100 apps built with Lovable, Bolt.new, Cursor, and v0.dev.
I wasn't looking for obscure zero-days. I was looking for the basics — missing CSRF protection, exposed API keys, no authentication. The stuff that gets you hacked on day one.
65% had security issues. 58% had at least one CRITICAL vulnerability.
The Numbers
I ran automated security scans on 100 public GitHub repos built with AI coding tools. Here's what I found:
| Finding | % of Apps | Severity |
|---|---|---|
| Missing CSRF protection | 70% | 🔴 CRITICAL |
| Exposed secrets or API keys | 41% | 🔴 CRITICAL |
| Poor error handling | 36% | 🟡 WARNING |
| Missing input validation | 28% | 🟡 WARNING |
| No authentication on endpoints | 21% | 🔴 CRITICAL |
| Missing security headers | 20% | 🟡 WARNING |
| XSS vulnerabilities | 18% | 🔴 CRITICAL |
| Exposed Supabase credentials | 12% | 🔴 CRITICAL |
318 total vulnerabilities. 89 of them CRITICAL.
Average Security Score: 65/100 — a D grade.
That might sound "okay" until you realize 65% of apps scored below 70 (passing), and nearly half (47%) got a D.
Platform Breakdown
| Platform | Avg Score | % With Issues | % With CRITICAL |
|---|---|---|---|
| Lovable | 58/100 | 79% | 72% |
| Bolt.new | 66/100 | 60% | 57% |
| v0.dev | 71/100 | 60% | 20% |
| Cursor | 75/100 | 50% | 42% |
These scores reflect individual apps, not the platforms themselves. The tools generate what you ask for — security is on you.
Lovable apps were the most vulnerable — 10 out of 38 had Supabase credentials exposed directly in their code.
The Scariest Find
One Lovable app had its Supabase keys — including the service role key — committed to the repo in a .env file. Not the anon key. The service role key. With that key, anyone can bypass Row Level Security and read every row in every table.
The developer had no idea. They'd built the app in Lovable, it worked, they deployed it. Lovable didn't warn them. Why would it? It's a code generator, not a security auditor.
Why This Happens
AI coding tools are incredible at generating working code. But "working" ≠ "secure."
When you tell Lovable "connect to Supabase," it generates code that queries the database. It works. But it might commit the service key to source control, because the AI optimized for "make it work," not "make it safe."
This isn't Lovable's fault. Or Bolt's. Or Cursor's. They're doing exactly what you asked — writing code that works. But nobody asked "also make it secure."
That's where the gap is.
And it's not just Lovable or Bolt. Claude, ChatGPT, Cursor, Copilot — every AI code generator optimizes for "working," not "secure." I've built apps with Claude Code myself and found the same issues. This is an industry-wide problem, not a platform-specific one.
What I Built
After seeing these results, I built VibeWrench — a tool that scans vibe-coded apps for security holes, speed issues, SEO problems, and more.
It's designed for non-programmers. Instead of "Missing CSP header on response object," it says "Your website doesn't tell browsers to block suspicious scripts — like leaving your front door unlocked."
For every problem it finds, it gives you a Fix Prompt — a copy-paste prompt for Cursor or Claude that fixes the issue automatically.
Your first scan is free. No signup required.
What it checks (18 tools):
Security: exposed keys, XSS, CSRF, missing auth, input validation, security headers
Prompt Injection Scanner: test your AI app's system prompt against 10 attack categories (OWASP LLM01)
Speed: Lighthouse analysis in plain English — why your site takes 8 seconds
SEO: missing meta tags, no sitemap, "Vite App" as page title (63% of vibe-coded apps fail basic SEO)
Accessibility: WCAG 2.1 compliance, missing alt tags, form labels
Legal: GDPR-ready privacy policy and terms (5 questions → done)
And more: error translation, deploy guides, code explainer, cost forecasting...
The Uncomfortable Truth
If you built an app with AI and deployed it without a security check — you probably have at least 3 of the issues above. The average app had 3.2 findings. I'm not saying this to scare you (ok, maybe a little). I'm saying this because it's fixable. In most cases, 10 minutes with the right prompts and you're good.
Try it: vibewrench.dev — paste your GitHub URL or site URL, get results in 30 seconds.
I'm a solo developer building tools for the vibe coding community. If you have questions or found something weird in your scan, drop a comment — I read everything.
Top comments (0)