npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

vibe-check-recon

v0.6.0

Published

Read-only public-surface security recon for AI-built apps. Finds the obvious stuff your hosting platform exposed before you ship.

Downloads

936

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

uxcontinuumuxcontinuum

Keywords

securityreconauditvibe-codingpre-launchsupabasefirebasevercelnext.jslovablecursorboltv0

Readme

vibe-check-recon

Read-only public-surface security recon for AI-built apps.

You shipped your MVP with Cursor / Lovable / Bolt / v0 / Windsurf / Claude Code. Before more users find it, run this to catch what your build agent and hosting platform exposed by default.

npx vibe-check-recon https://my-app.com

What it finds

| Category | Examples | |---|---| | Source / config exposure | .git/ directory served publicly, .env files reachable, firestore.rules exposed, .svn/, build manifests, DB dumps left in the public dir | | Leaked keys | OpenAI / Anthropic / Stripe secret keys / Google API keys in client JS bundles | | Cloud storage | Public S3 / GCS / R2 / Azure / DigitalOcean buckets that list publicly | | Subdomain hygiene | admin.X, dev.X, staging.X, api.X surfaced via Certificate Transparency log + Brave search, then probed for unauthenticated 200s | | Web security headers | Missing CSP / HSTS / X-Frame-Options / X-Content-Type-Options | | CSP quality | Beyond present/absent: detects unsafe-inline, unsafe-eval, missing default-src, wildcard script-src | | Cookie security | Auth/session cookies missing HttpOnly / Secure / SameSite flags | | Source maps in production | Full unminified source available at the .map URL | | CORS misconfigs | Access-Control-Allow-Origin: * on real APIs (with platform-default suppression for Vercel/Netlify/CF Pages/GitHub Pages SPAs) | | API doc / route disclosure | /swagger.json, /api/docs, /openapi.json revealing your full route surface |

What it does NOT do

This is passive reconnaissance only. It reads what the target server already serves publicly. It does not:

  • Send injection payloads (SQL / XSS / SSRF)
  • Brute force or fuzz endpoints
  • Attempt authentication
  • Touch any data that isn't already public
  • Generate load on the target

It's safe to run against your own apps and apps you have permission to test.

What this isn't

This is the 30-second public-surface check. It reads what your server already serves and flags the obvious classes of mistake (.git/ exposed, API keys in the bundle, public buckets, weak headers, etc).

It does NOT touch the inside of your application. The interesting bugs live there.

Free finding vs paid finding — concrete example

You build a Lovable app. It uses Supabase. You ship it. You run npx vibe-check-recon https://yourapp.com.

What the free recon finds:

[info] Possible supabase_url in client bundle https://abcd1234.supabase.co This is expected — Supabase anon keys + URLs are public by design when paired with correct Row Level Security policies.

That's a true positive but a low-impact one. It just confirms the stack. The real question is whether the RLS policies are actually correct.

What the paid Vibe Audit finds, on the same app:

[critical] RLS policy on bookings table grants select to authenticated role unconditionally create policy "Users can view bookings" on bookings for select to authenticated using (true); Any logged-in user (including freshly-signed-up attackers) can read every row in the bookings table, including other users' contact details, party sizes, and payment status. The intended policy was almost certainly using (auth.uid() = user_id). Verified by signing in as a test account and querying bookings directly via the anon key. Patch:

drop policy "Users can view bookings" on bookings;
create policy "Users can view their own bookings" on bookings
  for select to authenticated using (auth.uid() = user_id);

Same stack. Same recon output. Different layer.

The free tool finds public surface. The paid audit reads your actual code, validates intent against the schema, and writes you the patch. That's the diff.

If your app has users, payments, or accounts — get the Vibe Audit. $99 founder special, 12-hour turnaround, ranked written report covering auth, data exposure, DB security, payments, env config, performance, and UX red flags.

Install

# One-shot
npx vibe-check-recon https://my-app.com

# Or install
npm install -g vibe-check-recon
vibe-check-recon https://my-app.com

Requires Node 18+.

Usage

# Pretty output
npx vibe-check-recon https://my-app.com

# JSON for programmatic use
npx vibe-check-recon https://my-app.com --json

# Just the highest-severity finding
npx vibe-check-recon https://my-app.com --top

# Help
npx vibe-check-recon --help

Optional environment

# Enables Brave-search-powered subdomain discovery beyond crt.sh
export BRAVE_API_KEY=BSAxxx

Without BRAVE_API_KEY, recon still works. It just skips the Brave-augmented URL discovery and relies on the public Certificate Transparency log alone.

Output format

JSON shape:

{
  "ok": true,
  "url": "https://my-app.com",
  "scanned_at": "2026-05-08T20:42:00.000Z",
  "stack_signals": { "framework": "next.js", "db": "supabase", "server": "Vercel" },
  "contacts": { "x": "@founder", "email": "[email protected]", "linkedin": "..." },
  "subdomains_found": 4,
  "bucket_urls_found": 0,
  "findings": [
    {
      "severity": "critical",
      "category": "data_exposure",
      "title": "Full .git/ directory exposed",
      "detail": "ref: refs/heads/main",
      "url": "https://my-app.com/.git/HEAD",
      "remediation": "Anyone can clone the entire repo via git-dumper. Add .git to your build-output ignore list and redeploy."
    }
  ]
}

Severity tiers:

  • critical — source or secrets fully exposed; immediate disclosure warranted
  • high — sensitive config served; needs fast fix
  • medium — misconfig with credible attack surface
  • low — best-practice gap; mention only when other findings exist
  • info — stack signal, not a vulnerability

Origin

Built from the recon module that powers the manual Vibe Audit service. Open-sourced because the public-surface check should be free for every founder shipping an MVP — and because the things this can't catch are exactly what a paid audit is for.

If recon finds something you didn't expect, that's the moment to ask whether the rest of your code has the same shape of issue. That's the audit.

License

MIT. Use it on your apps. Use it on your clients' apps with their permission. Don't use it as a launching point for active attacks.

Author

Matt Turley — Fractional CTO, 20+ years. Audits AI-built apps before launch. uxcontinuum.com/vibe-audit.