Use case
AI App Security Scan
AI-built apps have a specific set of security risks that traditional scanners miss: exposed provider keys, direct browser API calls, and unauthenticated generation endpoints. GetLeaked checks for these mistakes against your public app surface before they reach paying customers or security researchers.
The problem with AI apps built for speed
Lovable, Bolt, v0, and Cursor generate working code fast. They also generate code with patterns that cause security problems when exposed publicly: API keys hardcoded into components, fetch calls that go directly to OpenAI from the browser, and generation routes with no auth check.
These are not subtle vulnerabilities. An OpenAI key in a client bundle can be extracted in under 60 seconds by anyone who opens DevTools. A /api/chat route without an auth check is one curl command away from running up your bill. GetLeaked finds these before customers or bad actors do.
What GetLeaked checks
Four AI-specific risks, checked in minutes.
01
Exposed OpenAI API keys
If your OpenAI key lands in a client bundle or public page, anyone can extract it, run completions on your bill, and exhaust your quota in minutes. GetLeaked checks all publicly loaded JavaScript for credential patterns matching OpenAI, Anthropic, Cohere, and other AI provider formats.
02
Direct browser-to-AI calls
Calling OpenAI directly from the browser means your API key must ship to the client. GetLeaked detects fetch or XHR requests in client bundles that target AI API endpoints — a pattern that always results in a leaked key, regardless of obfuscation.
03
Missing auth gates on expensive routes
An AI endpoint without auth is an open billing tap. GetLeaked flags API routes that appear to call AI providers without verifying a session, token, or payment state — so you can add a gate before a bot finds it.
04
No rate limit on generation endpoints
An unauthenticated /api/generate route with no rate limit costs roughly $0 to abuse and can run up hundreds of dollars in minutes. GetLeaked checks for public endpoints that match AI generation patterns and lack observable rate-limit headers or middleware signals.
Scope and limitations
GetLeaked is explicit about what it cannot prove so you know when a deeper review is needed.
- Server-side API keys that never reach the client bundle are outside the scan scope.
- The free scan checks the public surface only. Repository scan is planned for v1.1; today’s Deep Scan expands public-deployment review.
- GetLeaked is static analysis — it cannot simulate authenticated or logged-in user flows.
Scan your AI app before someone else does.
Paste your public URL and get evidence of exposed keys and risky AI call patterns in minutes. Free, no login required.