Product Listing
Calmly
AI code auditor for apps built in Lovable, Bolt, v0, Cursor, GitHub Copilot, Claude Code, or Windsurf. Paste a URL or code, get a 30-second security + quality report with "paste into your builder" fix prompts. Single HTML file, your Claude API key, no subscription.
🔥 Qualmly — ship with no qualms
You built something awesome in Lovable, Bolt, v0, or Cursor. It looks good. It probably works. But did your AI builder remember to enable Row-Level Security on your Supabase tables? Keep your Stripe secret key out of the client JS? Add auth checks on your admin routes? Validate Stripe webhook signatures?
Probably not. 170+ Lovable apps leaked user data in 2025 because of missing RLS (CVE-2025-48757).
Qualmly raises every concern in a 30-second AI audit across 8 categories — plus a vibe-coder-specific scan that knows exactly what Lovable, Bolt, v0, Cursor, GitHub Copilot, Claude Code, and Windsurf typically forget.
Try it live at qualmly.dev
WHAT YOU GET
App QA mode — paste a URL, get an 8-category report (security, auth, forms, responsive, a11y, perf, data, errors)
Code Review mode — paste code, get OWASP Top 10 + CWE/SANS Top 25 findings with Before/After fixes
Vibe-Coder preset — specific checks for Supabase RLS, leaked API keys, exposed admin routes, CORS/CSRF, unverified Stripe webhooks
"Paste into [Your Builder]" prompts — every fix comes with a natural-language prompt tuned to Lovable, Bolt, v0, Cursor, GitHub Copilot, Claude Code, Windsurf, Replit, or Webflow AI. Copy → paste into your chat → done.
Plain-English mode — rewrites every finding for non-technical readers
Mark as intentional — click any finding, explain context, Qualmly re-evaluates
Three API key storage modes — session-only, localStorage, or AES-GCM passphrase-encrypted (your choice)
Idle auto-clear — optional 30-minute to 24-hour auto-wipe on shared machines
Preferences — saveable/exportable defaults plus a custom-focus textarea
Cost transparency — every review shows the exact Anthropic spend (~$0.03/run)
Install as an app — works as a PWA on desktop and mobile
No servers, no accounts, no GitHub install — single HTML file, opens in any browser
WHY PAY INSTEAD OF USING A FREE COMPETITOR?
CodeRabbit: free tier or $24+/seat — needs GitHub App install; spams 40+ PR comments
Sourcery: $10/user/month — per-repo YAML config
Snyk Code: $25/seat/month — gates reachability behind paid tiers
Qualmly: $15 once — you bring your own Claude API key (~$0.03/review)
No seats. No subscriptions. No vendor lock-in. You own the file.
WHAT'S INCLUDED IN THE DOWNLOAD
index.html — the entire app
manifest.json + icon.svg — PWA assets (install-as-app)
DISCLAIMER.md + PRIVACY.md — full data-flow disclosure
COMMERCIAL-LICENSE.md (Agency tier only) — commercial use rights
README.txt — quick-start guide
12 months of updates + email support