Q.01Is my AI-generated app secure?
Usually not on the first ship. Industry research finds 40 to 62% of AI-generated code contains a vulnerability. Most often it’s an API key exposed in the browser bundle, or a database with no access rules. It’s worth running a quick check before you go live.
Q.02How do I check if my Lovable, Bolt, v0 or Cursor app has security holes?
Run Lictor’s free /lictor-security-check inside Claude Code (or via MCP in Cursor, Windsurf, Cline). It walks your project and runs 48 checks tuned to the bugs AI assistants ship most, mapped to the full OWASP Top 10 for Web, API, Mobile, and LLM apps, plus the CWE Top 25. You get a report anyone can read in about a minute. No signup.
Q.03Is Lictor free?
The audit is. The Lictor skill suite (security check, explain, fix-it, rotate) is free and Apache-2.0 open source, with no per-seat pricing and no “contact sales.” The paid product is hosted exposure monitoring for businesses, from $49/mo.
Q.04Does Lictor send my code anywhere?
No. The audit runs 100% locally inside your AI coding tool, with no token, no signup, no telemetry. Your code never leaves your machine, and every check is a markdown file you can read.
Q.05What does Lictor check for?
Leaked API keys and secrets, exposed databases (missing Supabase/Firebase row-level security), unprotected API routes, client-side-only auth, over-permissive CORS, and prompt-injection surface in AI features. These are the failure modes AI-built apps ship most.
Q.06How is Lictor different from Snyk or Aikido?
Those are built for dev teams with a CISO and a budget, and they run after you deploy. Lictor is free, speaks plain English (no CVSS scores), and runs right where you code, before you ship, so a solo founder can use it without a security background.
Q.07What’s the most common security bug in vibe-coded apps?
Missing row-level security on Supabase or Firebase, which lets anyone read everyone’s data, plus API keys hardcoded into the front-end bundle. Both are easy to find from the outside, so Lictor flags them first.
Q.08Can Lictor fix the issues, not just find them?
Yes. Run /lictor-fix-it and it walks each finding one at a time, shows the exact change, and applies it with your approval. For leaked keys, /lictor-rotate walks you through rotating them at the provider.