You vibe, we watch your back. VibSec scans for secrets your agent leaks, flags exposed ports before they hit prod, catches supply chain attacks, and rolls back anything that goes wrong — so you can keep shipping.
AI agents write great code fast. They also leak secrets, expose databases to the internet, install typosquatted packages, and nuke your project. Here's the checklist.
AI autocomplete loves hardcoding secrets into config files. VibSec catches API keys, .env files, and private keys before they hit git.
Agents spin up dev servers on 0.0.0.0 and forget about it. VibSec monitors ports and flags databases, Redis, and services exposed to all interfaces.
Typosquatted packages are real supply chain attacks. VibSec flags 30+ known package impostors in your package.json and requirements.txt.
One bad command and everything is gone. VibSec auto-snapshots before every session so you can restore in 10 seconds, not 10 hours.
AI agents generate code with eval(), innerHTML, and SQL concatenation without thinking twice. VibSec flags every injection vector.
Agents copy Docker configs from StackOverflow that mount /var/run/docker.sock. That gives containers full host access. VibSec catches it.
CLI for your terminal. Menu bar app for your dock. Both scan the same 30+ OWASP checks and show you exactly what needs fixing — before you ship.
One command. 30+ OWASP checks. Finds the hardcoded secrets, eval patterns, and supply chain risks your AI agent introduced — grouped by severity so you fix what matters first.
Explore scannerI let Claude Code build my whole auth flow. VibSec found a hardcoded Stripe key and an eval() with user input. Fixed both in 5 minutes.
Launch your AI agent through VibSec. Your project is auto-snapshotted, the launch command is checked against your policy, and everything is logged to an audit trail — so you can always roll back.
Explore safety netMy agent nuked my entire src/ folder. Ran vibsec rollback and was back in 10 seconds. This is a must-have.
Every vibsec run auto-snapshots your project. When your agent goes off the rails — and it will — one command restores everything with full integrity verification.
Explore rollbackClick the shield icon — see scan results, exposed ports, which agents are installed, and your full audit log. Same OWASP checks as the CLI, always one click away while you vibe.
Explore the appAI agents spin up dev servers, databases, and caches on 0.0.0.0 without a second thought. VibSec's port monitor catches services exposed to all network interfaces — before your MySQL, Redis, or Postgres becomes public.
docker-compose up and the DB is reachable from any IP
I had no idea my Redis was listening on 0.0.0.0 until VibSec flagged it. Took 2 seconds to fix, could have been a data breach.
10 checks that run in seconds. Zero config. Works on any project.
Scans for API keys, tokens, private keys, and .env files. Flags exposed ~/.ssh paths and keychains.
Checks the launch command against your policy before execution. Flags dangerous patterns like rm -rf and git push --force.
Detects curl | bash patterns, missing lockfiles, unpinned dependencies, and typosquatted packages.
Catches unsafe patterns where model output flows to eval, exec, SQL, or template injection.
Scans training data and RAG files for prompt injection markers and chat template manipulation.
Detects when agent sessions exceed tool call limits. Rate limiting and per-session caps from your policy.
Automatic snapshots before every session. One command to restore any state.
JSONL trail of every command, blocked action, and file change. Full visibility.
Catches MySQL, Redis, Mongo, and dev servers exposed on 0.0.0.0. Don't let your agent expose your DB to the internet.
macOS tray app with live scanning, agent detection, port monitoring, and audit log — always one click away.
No config files. No setup. Just scan, launch, and ship.
vibsec scan
Finds secrets, unsafe patterns, supply chain risks, and OWASP LLM + ASVS 5.0 vulnerabilities in seconds.
vibsec run -- <agent>
Auto-snapshots your project, checks the launch command against your policy, and logs everything to an audit trail.
vibsec rollback
Restore to any snapshot instantly. Full file contents preserved with integrity checks.
VibSec maps to both the OWASP Top 10 for LLM Applications and the ASVS 5.0 standard — covering the risks that actually hit developers.
Can't find your answer here? Get in touch.
A security checklist for vibe coders. VibSec is a CLI + macOS menu bar app that catches the things AI agents get wrong — leaked secrets, exposed ports, typosquatted packages, unsafe eval patterns, and more. It maps to OWASP LLM Top 10 + ASVS 5.0, auto-snapshots for rollback, and runs 100% locally with zero config.
No. VibSec runs 100% locally. Your code, secrets, and audit logs never leave your machine. There are no external API calls, telemetry, or cloud dependencies.
VibSec works with any CLI-based agent — Claude Code, Cursor, Aider, Copilot, or custom agents. It snapshots your project before launch, checks the launch command against your policy, and logs everything to an audit trail.
VibSec maps its checks to both the OWASP Top 10 for LLM Applications (2025) and the OWASP ASVS 5.0 standard. It covers 8 of 10 LLM risks and 30+ ASVS checks across injection prevention, access control, validation, cryptography, API security, data poisoning, supply chain integrity, and more.
Yes. Run vibsec policy init to generate a policy file, then customize blocked commands, allowed paths, and severity thresholds for your project.
One command: curl -fsSL https://vibsec.com/install.sh | bash. Requires Node.js 18+. Installs globally so you can use it from any project directory.
Install VibSec globally and start scanning any project in seconds. Requires Node.js 18+.
curl -fsSL https://vibsec.com/install.sh | bash
Run the command above. Downloads and installs globally via npm.
Run vibsec scan in any project to find vulnerabilities.
Run vibsec run -- <agent> to auto-snapshot and launch your agent with an audit trail.
Install in under a minute. Ship faster knowing nothing critical slips through.
Free to use. Read the FAQ.