Pricing

Pay per usage

Convex Security Scanner — Find public-query data leaks

Probes a public Convex deployment for queries that return data without auth. Convex queries are public-by-default unless you check auth inside the handler. Returns counts + reproducer.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Renzo Madueno

Actor stats

Bookmarked

Total users

Monthly active users

18 hours ago

Last modified

Why this exists

Convex's mental model is functions-as-API. You write query() handlers in TypeScript, and the framework deploys them. The default behavior is no auth required — the handler runs for every caller. To require auth you must explicitly write:

const userId = await getAuthUserId(ctx);
if (!userId) throw new Error('Unauthorized');

This works great when you remember. The problem: tutorials show queries without auth checks (to keep examples simple), and that pattern bleeds into real code. Worst offenders:

users:list, users:listAll — copy-pasted from "show all users" tutorials, ships to production with no guard
messages:list, chats:list — same pattern, leaks every conversation
orders:list, payments:list — when the team builds an admin dashboard, they often clone an existing list function and forget the role check

This scanner probes ~30 common Convex function paths (users:list, messages:list, etc.) plus any custom paths you pass as hints.

How to run

Either:

Leave inputs empty + click Run for a DEMO sample report
Provide your convexUrl to scan your actual deployment

{
  "convexUrl": "https://abc-fox-456.convex.cloud",
  "functionHints": ["custom:listForUser", "myFile:getSomething"],
  "outputFormat": "both"
}

What you get

HTML report in run's KV store: severity-coded findings, copy-pasteable curl reproducers, paste-ready auth-guard snippets to add to each handler
Dataset rows: one structured row per finding

Sample finding

[CRITICAL] users:list — returns data anonymously
Items returned: 2,891
Sample columns: _id, _creationTime, email, name, imageUrl, clerkId, role, stripeCustomerId
Sensitive columns detected: email, clerkId, stripeCustomerId

Reproducer:
curl -X POST 'https://abc-fox-456.convex.cloud/api/query' \\
  -H 'Content-Type: application/json' \\
  -d '{"path":"users:list","args":{}}'

How to fix (code change)

In each leaky query, add an auth guard at the top of the handler:

// convex/users.ts
import { v } from 'convex/values';
import { query } from './_generated/server';
import { getAuthUserId } from '@convex-dev/auth/server';

export const list = query({
  args: {},
  handler: async (ctx) => {
    const userId = await getAuthUserId(ctx);
    if (!userId) throw new Error('Unauthorized');
    return await ctx.db.query('users').collect();
  },
});

For per-user scoped reads (most common case):

handler: async (ctx) => {
  const userId = await getAuthUserId(ctx);
  if (!userId) throw new Error('Unauthorized');
  return await ctx.db
    .query('orders')
    .withIndex('byOwner', q => q.eq('ownerId', userId))
    .collect();
}

For role-gated reads (admin dashboard):

handler: async (ctx) => {
  const userId = await getAuthUserId(ctx);
  if (!userId) throw new Error('Unauthorized');
  const me = await ctx.db.get(userId);
  if (me?.role !== 'admin') throw new Error('Forbidden');
  return await ctx.db.query('orders').collect();
}

Ethical use

Only scan deployments you own
Probe queries do not write data; they only call existing queries

Stripe audit ($99 one-time): buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01
Weekly auto-scans ($29/mo): rls-monitor.vercel.app
Sister scanners: Supabase, Firebase, Strapi, Directus, Payload CMS, Convex, Hasura, PocketBase, Appwrite, Nhost.

Built by Renzo.

Nhost Security Scanner — Find public Hasura GraphQL leaks

renzomacar/nhost-security-scanner

Probes a public Nhost project's Hasura GraphQL endpoint for tables readable by anon role. Detects the #1 cause of Nhost data leaks: forgotten Hasura permission policies. Returns table-level counts + curl reproducer. Counts only.

Renzo Madueno

Payload CMS Security Scanner — Find public collection leaks

renzomacar/payload-security-scanner

Probes a public Payload CMS instance for collections readable without auth. Default templates leave read access wide open during development.

Renzo Madueno

Directus Security Scanner — Find public-role collection leaks

renzomacar/directus-security-scanner

Probes a public Directus instance for misconfigured Public-role permissions. Detects collections readable without auth via /items/{collection}. Returns counts + curl reproducer. Counts only.

Renzo Madueno

Strapi Security Scanner — Find public collection-type leaks

renzomacar/strapi-security-scanner

Probes a public Strapi instance for misconfigured Public role permissions. Detects content-types readable without auth via /api/{collection}. Returns counts + curl reproducer. Counts only.

Renzo Madueno

Reddit Scraper - Posts, Comments & Sentiment Data

renzomacar/reddit-scraper

Scrape Reddit subreddits, search results, and comment threads. Extract post titles, authors, scores, comment counts, body text, and full comment trees with nested replies. Sort by hot, new, top, or rising. Perfect for market research and sentiment analysis.

Renzo Madueno

301

Website Tech Stack Detector — 100+ Technologies

ryanclinton/website-tech-stack-detector

Identify the technologies, frameworks, and services running on any website. Website Tech Stack Detector crawls one or more URLs, inspects HTTP headers, HTML meta tags, script sources, and body content, then matches them against a fingerprint database of 106 web technologies across 17 categories.