We run Audit Vibe Coding at Inithouse, a security audit tool built specifically for AI-generated projects. After scanning hundreds of vibecoded apps, the same seven vulnerabilities show up over and over. None of them are exotic. All of them are fixable in under five minutes each.

Here they are, with a grep command you can run right now to check your own codebase.

1. Hardcoded secrets in source code

AI code generators love placeholder values. They drop in sk-test-abc123 or API_KEY=your-key-here, and you replace them with real credentials during development. Then you forget to move them to environment variables.

We have found live Stripe keys, Supabase service role tokens, and OpenAI API keys sitting in plain JavaScript files.