Your AI-built app might be leaking secrets.

Leaked scans Next.js, Supabase, and Firebase apps for the security mistakes AI builders make most. Paste a URL or drop a repo — get a plain-English report in seconds.

No login required. No code changes. Point it at any public URL and go.

AI writes the code. But it doesn't know your keys are showing.

Lovable, Bolt, Cursor, and v0 are incredibly fast. They're also trained on public examples that sometimes hardcode keys, skip RLS, or call OpenAI directly from the browser.

The bugs aren't obvious. They don't break the app. They sit quietly in your bundles until someone finds them.

Six checks. The ones that actually matter.

CheckWhat it catches
🔑 Exposed API keysOpenAI, Supabase, Firebase keys in client bundles or source files
🛡️ Supabase RLS offTables readable by anyone — no auth required
💸 Direct AI callsBrowser hitting OpenAI directly — unlimited spend risk
🤖 AI endpoint abuseNo rate limit, no auth gate on AI routes
📝 Secret in logsAPI keys logged to console or log services
🔍 Hardcoded secretsKeys committed directly to source

How it works

1

Paste your app URL

Leaked fetches your public bundles and checks for exposed secrets, direct AI calls, and abuse risks.

2

Or paste a repo URL

Leaked scans your committed source for hardcoded keys, logging leaks, and RLS misconfig.

3

Get a plain-English report

Every finding comes with evidence, why it matters, and an exact fix. No jargon.

Simple pricing

Free — URL Scan

  • Stack detection
  • Secret exposure check
  • Direct AI call check
  • Abuse risk signal
  • Instant report
Most Popular

Deep Scan — $49

  • Everything in free
  • Full repo scan
  • RLS configuration check
  • Logging exposure check
  • Hardcoded secrets in source
  • Full finding report with evidence

Monitoring plans coming soon

What builders are saying

"Placeholder for founder quote #1 — will add after first 10 users"

Builder name

Company / Project

"Placeholder for founder quote #2 — will add after first 10 users"

Builder name

Company / Project

"Placeholder for founder quote #3 — will add after first 10 users"

Builder name

Company / Project

What Leaked does not check

We're transparent about scope. These are things Leaked does not check:

  • Server-side environment variables — keys not in client bundles or committed source
  • Git history — only the current working tree is scanned
  • Infrastructure, networking, or DNS configuration — we scan code only
  • Mobile apps or non-web stacks — Next.js, Supabase, Firebase only
  • Runtime behavior — all checks are static analysis only

Every report clearly states what was and was not scanned.

Found a bug in your AI-built app?

Share the report and help other builders learn.