- Critical:
Your database key is in the page source
Security· One-line fix
- Warning:
No cookie consent and you're collecting analytics
Legal / GDPR· Needs a consent banner
- Info:
12 images have no alt text
Accessibility· Quick fix
The AI Slop Detector
Your AI writes fast. It also writes sloppy.
Ship code you’d put your name on.
Get your free Stack ScanFree. No signup. 30 seconds. Your code never leaves your machine.
1,412 issues caught across all scans
0 issues caught.
Most AI-generated apps fail their first scan. Yours probably will too. That’s fine.
Launching this week?
Run the scan tonight. If you come back clean, launch loud.
Someone DM’d you about a leak?
Find out if they’re right before you reply. It takes 30 seconds.
Just read the horror stories?
Those apps failed checks we run. See every one of them.
“guys, i’m under attack … maxed out usage on api keys, people bypassing the subscription, creating random sh*t on db … as you know, I’m not technical so this is taking me longer that usual to figure out”
“Within minutes, we discovered a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database.”
How it works
Three steps. Any AI tool.
Copy the prompt
Grab your Stack Scan prompt with one click, or run a single npx command from your terminal.
Paste it into your AI
Cursor, Lovable, Claude Code, Bolt, Replit, v0, anything that can read your code. The prompt is long (~660 lines) because every check is written out in plain English. Read the whole thing before you run it if you want. We only ever see a score, never your code.
Get your results
Your AI reads your codebase, runs every check, and gives you a scored report with findings. Your code never leaves your machine.
A real report
We run our audits on ourselves.
This is auditbuffet.com’s own Stack Scan from May. We failed 2 of our own critical security checks, fixed them, and re-ran it two days later.
93/A
first run
100/A
after the fixes
Supabase RLS is enabled with real policies on every table
Why this exists
Your linter catches typos. We catch the rest.
She shipped on Friday. The email came Monday.
Without AuditBuffet
Maya shipped a journaling app in March. Two weeks later, a user emailed:
“Why are my private entries showing up on Google?”
Row-level security, the Supabase setting that keeps each user’s rows private, was off. She’d never heard of it, and her AI never brought it up.
With AuditBuffet
She ran the free Stack Scan. It found 6 issues, including her Supabase RLS being off.
She upgraded to Pro, ran the full Security Audit. Found 4 more things she’d never have caught.
Next scan: all green. Badge on her homepage. Slept well.
“The first audit I ran was our own API Design Audit, on my own code. It failed with 15 critical and high-severity bugs. No rate limits anywhere, admin actions that never checked it was really me. And I build the audit tool. What do you think your AI shipped?”
Christopher Kleinman · Founder of AuditBuffet
Free Stack Scan
One scan. The scariest stuff. Free.
The Stack Scan checks for the stuff that bites you after launch. Your entire codebase, one prompt.
Security Problems
11 checksYour data could leak. Your project could be taken over.
Your database key sitting in View Source · A "security policy" that lets every user read every row (Supabase calls it RLS), the same hole that got 170 Lovable apps caught exposing user data · Private pages anyone can open by changing the number in the URL · Validation code your AI wrote but never actually runs · Browser protections that ship switched off
Legal Exposure
8 checksYou could be fined or sued.
Images screen readers can't see (Domino's got sued over this) · No way for users to delete their account or download their data, both required by European privacy law · No "Do Not Sell" link for California visitors · Server logs quietly recording your users' personal info
Abuse Surface
6 checksOne bad user could bankrupt you overnight.
Get started
Start your free scan.
Cursor, Claude Code, VS Code, Windsurf
Run one command in your terminal.
$ npx auditbuffet run stack-scanLovable, Bolt, Base44, v0, Replit
Copy the prompt and paste it into your AI’s chat.
This audit evaluates your project for the most critical security, privacy, and accessibility issues that AI-built projects commonly ship with...
Want to track your score over time? Sign up free
Free vs Pro
The free scan is a taste. Pro is the whole buffet.
Free: Stack Scan
A mile wide, an inch deep. Checks for the biggest risks across security, auth, data exposure, accessibility, and legal liability. Enough to know where you stand. Enough to scare you a little. 1 audit · surface-level checks → The taste.
Pro: 117 Audits
Ten miles wide, ten miles deep.
Security: 24 checks.
Accessibility: 24 checks.
SEO. Performance. AI safety.
Compliance. Data privacy.
...and 110 more.
Each audit: weighted scoring,
cross-references between findings,
and your AI builds the fix plan.
117 Pro audits · thousands of checks
→ The whole buffet.Simple pricing
It’s a buffet, not a menu.
One price. Every audit. No picking, no per-seat, no sales call.
Free
$0
The Stack Scan. Finds the scariest stuff in any AI-built project.
- Exposed keys, auth holes, script injection, data leaks
- Accessibility, privacy, and compliance checks
- Tech stack detection + benchmarking
- Plain-English findings with fixes
- No signup required
Pro
$9 /month
The things you were going to ask
Yeah, but...
I'm launching this week. What do I run?
I saw the horror stories. The apps leaking user data, the "guys, i'm under attack" tweet. Could that be me?
Will I understand what to fix, or is this going to be a wall of jargon?
Am I going to feel dumb running this?
Ship something you’re proud of.
Run the free Stack Scan. See what your AI missed. Fix it tonight.
$npx auditbuffet run stack-scan