Free tool · Vibe Check
Is your app leaking user data?
Most apps built with AI tools ship with the setting that decides who can see your data turned off — so anyone on the internet can read everything. Check yours in 60 seconds. Free, no signup — your data never leaves this page.
The check reads only your security settings — table names, policies, grants. Never your data.
Step 1 — Copy this query
Open your Supabase project → SQL Editor → paste → Run. Copy the single JSON result it returns.
-- ============================================================
-- BriefKit Vibe Check — Security Export (v1)
-- Paste this entire query into your Supabase SQL Editor and run it.
-- It reads ONLY your security configuration (table names, column
-- names, RLS policies, grants). It never reads your data.
-- Copy the single JSON result back into the Vibe Check scanner.
-- ============================================================
SELECT json_build_object(
'vibe_check_version', 1,
'generated_at', now(),
'tables', (
SELECT coalesce(json_agg(t ORDER BY t.table_name), '[]'::json)
FROM (
SELECT
c.relname AS table_name,
c.relrowsecurity AS rls_enabled,
c.relforcerowsecurity AS rls_forced,
-- column names only (lets the scanner flag sensitive columns)
(SELECT coalesce(json_agg(a.attname ORDER BY a.attnum), '[]'::json)
FROM pg_attribute a
WHERE a.attrelid = c.oid AND a.attnum > 0 AND NOT a.attisdropped
) AS columns,
-- all RLS policies on this table
(SELECT coalesce(json_agg(json_build_object(
'name', pol.policyname,
'command', pol.cmd, -- SELECT/INSERT/UPDATE/DELETE/ALL
'permissive', pol.permissive,
'roles', pol.roles,
'using_expr', pol.qual, -- NULL for INSERT-only policies
'check_expr', pol.with_check
)), '[]'::json)
FROM pg_policies pol
WHERE pol.schemaname = 'public' AND pol.tablename = c.relname
) AS policies,
-- privileges granted to Supabase API roles
(SELECT coalesce(json_agg(json_build_object(
'role', g.grantee, 'privilege', g.privilege_type)), '[]'::json)
FROM information_schema.role_table_grants g
WHERE g.table_schema = 'public' AND g.table_name = c.relname
AND g.grantee IN ('anon', 'authenticated')
) AS api_grants
FROM pg_class c
JOIN pg_namespace n ON n.oid = c.relnamespace
WHERE n.nspname = 'public' AND c.relkind = 'r'
) t
)
) AS vibe_check_export;