🌿 a little guardian for your app

Keep your app's secrets safe before you launch.

SlapSafe is a tiny, friendly check for vibe-coded apps. It scans your code for leaked keys β€” the stuff that quietly exposes your whole database β€” before the entire internet can find it.

Runs right on your machine. No account, no API key β€” your code never leaves your laptop.

Get SlapSafe β€” $5 See how it works
A cozy guardian spirit watching over a little glowing cottage
~/my-app β€” slapsafe
$ npx github:Onefailatatime/slapsafe πŸ›‘ SlapSafe β€” gently checking your app for leaks… CRITICAL Supabase service_role key (bypasses ALL row security) src/lib/db.js:4 ← shipped to the browser fix: move it to a server-only env var and rotate it now CRITICAL Stripe LIVE secret key api/checkout.js:1 Summary: 2 critical 1 high (38 files checked) β™₯ Let's fix these before you launch.
~70%
of Lovable apps shipped with row security turned off
1 in 9
vibe-coded apps were leaking their Supabase keys
10s
for SlapSafe to check yours before you ship

From 2026 analyses of AI-built apps. The mistakes are common β€” finding them is easy.

How it works

Three little steps

No sign-up dance, no dashboard. You run one command and the guardian does the rest β€” right on your own machine.

1

Run one command

In your project folder, run npx github:Onefailatatime/slapsafe and paste your key once.

2

It checks, locally

SlapSafe reads your files looking for leaked keys and unsafe settings. Nothing is uploaded β€” your code stays with you.

3

Fix & launch

You get a gentle, ranked list with the exact file, line, and how to fix each one. Then ship with a calm heart.

What the little guardian watches for

The three things that leak user data

πŸ”‘

Hardcoded secrets

Supabase service_role, Stripe sk_live, OpenAI, Anthropic, AWS keys β€” anywhere they're hiding in your code.

🌍

Keys sent to the browser

An admin key shipped to the frontend is visible to every visitor. The most common cause of a whole-database leak.

πŸ“„

A leaky .env

A .env that isn't gitignored gets committed with all your secrets inside. SlapSafe catches it first.

In the little kit

More than a scanner

The SlapSafe checker

The tiny terminal guardian. Runs anywhere Node runs, and slots into CI too.

Deep-audit prompts

Copy-paste prompts for Claude Code / Cursor that audit your own repo for the deeper holes β€” like row-security gaps.

Pre-launch checklist

A friendly one-pager. Don't ship until every box has a happy check.

"Oops, I shipped a key" runbook

Exactly what to do, calmly, in order, if a secret already slipped out.

$5 once
one-time Β· yours forever Β· no subscription
  • βœ“ The SlapSafe checker
  • βœ“ Deep-audit prompts for Claude Code / Cursor
  • βœ“ Pre-launch checklist + key-rotation runbook
  • βœ“ 100% local β€” your code never leaves your machine
  • βœ“ Free updates, forever
Get SlapSafe β€” $5

secure checkout Β· key by email

Questions

Little worries, answered

Does my code get uploaded anywhere?+

Never. SlapSafe runs entirely on your machine β€” no account, no API key. If a "security" tool ever asks you to upload your repo, that's the very risk you're trying to avoid.

What do I need to run it?+

Node.js and a terminal. You run it inside your project folder. Works on Mac, Linux, and Windows.

Does it work with my stack?+

Yes β€” it reads JS/TS, React, Vue, Svelte, Python, Swift and more, and is tuned for the Supabase + Stripe combos most vibe-coded apps use (Lovable, Bolt, v0, Cursor, Next.js, Vite).

Is this a full security audit?+

No, and it doesn't pretend to be. It's a fast, friendly pre-flight check for the high-frequency mistakes behind real breaches. The included prompts take you deeper on row-security.

What if it doesn't help?+

Email jessyka@slapforge.com within 14 days for a full refund. No forms, no fuss.