Client bundle risk
Public JavaScript is scanned for key patterns, Supabase project signals, source maps, and other evidence that should trigger human review.
Free AI app scorecard
Scan the public risk surface of your AI-built app in 30 seconds.
Paste any public URL to check client bundles, private-looking routes, Supabase/RLS signals, CORS, headers, runtime errors, and page quality. Then request a free human review for the deeper launch risks a scanner cannot see.
What does the scorecard check?
The scorecard is a fast public-surface screen for founder-built apps. It is designed to catch obvious issues before you spend time on a deeper review.
Admin and API surfaces
Common private-looking paths are probed for reachable routes that do not show an obvious login wall or authorization boundary.
Headers, CORS, runtime
Missing security headers, wildcard CORS, browser errors, and secondary quality signals show where launch hardening should begin.
What does the scorecard not check?
A public scan cannot see everything. That is why the scorecard is paired with a written human review.
- Whether private routes are actually protected behind login.
- Whether database policies prevent users from reading other users' data.
- Whether server secrets are handled correctly outside the client bundle.
- Whether migrations, backups, deploys, and rollback paths are production-safe.
- Whether business workflows fail safely when an API, webhook, or payment step breaks.
The scorecard tells you what the public web can see. The human review tells you what can break once real users arrive.