Pricing

Pay per usage

Convex Security Scanner — Find public-query data leaks

Probes a public Convex deployment for queries that return data without auth. Convex queries are public-by-default unless you check auth inside the handler. Returns counts + reproducer. -- By Renzo Madueno, https://rotatepilot.com

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Renzo Madueno

Actor stats

Bookmarked

Total users

Monthly active users

7 days ago

Last modified

Why this exists

Convex's mental model is functions-as-API. You write query() handlers in TypeScript, and the framework deploys them. The default behavior is no auth required — the handler runs for every caller. To require auth you must explicitly write:

const userId = await getAuthUserId(ctx);
if (!userId) throw new Error('Unauthorized');

This works great when you remember. The problem: tutorials show queries without auth checks (to keep examples simple), and that pattern bleeds into real code. Worst offenders:

users:list, users:listAll — copy-pasted from "show all users" tutorials, ships to production with no guard
messages:list, chats:list — same pattern, leaks every conversation
orders:list, payments:list — when the team builds an admin dashboard, they often clone an existing list function and forget the role check

This scanner probes ~30 common Convex function paths (users:list, messages:list, etc.) plus any custom paths you pass as hints.

How to run

Either:

Leave inputs empty + click Run for a DEMO sample report
Provide your convexUrl to scan your actual deployment

{
  "convexUrl": "https://abc-fox-456.convex.cloud",
  "functionHints": ["custom:listForUser", "myFile:getSomething"],
  "outputFormat": "both"
}

What you get

HTML report in run's KV store: severity-coded findings, copy-pasteable curl reproducers, paste-ready auth-guard snippets to add to each handler
Dataset rows: one structured row per finding

Sample finding

[CRITICAL] users:list — returns data anonymously
Items returned: 2,891
Sample columns: _id, _creationTime, email, name, imageUrl, clerkId, role, stripeCustomerId
Sensitive columns detected: email, clerkId, stripeCustomerId

Reproducer:
curl -X POST 'https://abc-fox-456.convex.cloud/api/query' \\
  -H 'Content-Type: application/json' \\
  -d '{"path":"users:list","args":{}}'

How to fix (code change)

In each leaky query, add an auth guard at the top of the handler:

// convex/users.ts
import { v } from 'convex/values';
import { query } from './_generated/server';
import { getAuthUserId } from '@convex-dev/auth/server';

export const list = query({
  args: {},
  handler: async (ctx) => {
    const userId = await getAuthUserId(ctx);
    if (!userId) throw new Error('Unauthorized');
    return await ctx.db.query('users').collect();
  },
});

For per-user scoped reads (most common case):

handler: async (ctx) => {
  const userId = await getAuthUserId(ctx);
  if (!userId) throw new Error('Unauthorized');
  return await ctx.db
    .query('orders')
    .withIndex('byOwner', q => q.eq('ownerId', userId))
    .collect();
}

For role-gated reads (admin dashboard):

handler: async (ctx) => {
  const userId = await getAuthUserId(ctx);
  if (!userId) throw new Error('Unauthorized');
  const me = await ctx.db.get(userId);
  if (me?.role !== 'admin') throw new Error('Forbidden');
  return await ctx.db.query('orders').collect();
}

Ethical use

Only scan deployments you own
Probe queries do not write data; they only call existing queries

Stripe audit ($99 one-time): buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01
Weekly auto-scans ($29/mo): rls-monitor.vercel.app
Sister scanners: Supabase, Firebase, Strapi, Directus, Payload CMS, PocketBase, Appwrite, Nhost.

Built and maintained by Renzo Madueño, founder of Rotate Pilot, aviation exam-prep software. More tools on GitHub.

Strapi Security Scanner — Find public collection-type leaks

renzomacar/strapi-security-scanner

Probes a public Strapi instance for misconfigured Public role permissions. Detects content-types readable without auth via /api/{collection}. Returns counts + curl reproducer. Counts only. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Directus Security Scanner — Find public-role collection leaks

renzomacar/directus-security-scanner

Probes a public Directus instance for misconfigured Public-role permissions. Detects collections readable without auth via /items/{collection}. Returns counts + curl reproducer. Counts only. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

PocketBase Security Scanner — Find public collection leaks

renzomacar/pocketbase-security-scanner

Probes a public PocketBase instance for misconfigured collection rules. Detects collections readable without auth via /api/collections/*/records. Returns counts + curl reproducer. Counts only, no data exfiltrated. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Payload CMS Security Scanner — Find public collection leaks

renzomacar/payload-security-scanner

Probes a public Payload CMS instance for collections readable without auth. Default templates leave read access wide open during development. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Supabase RLS Security Scanner — Find anonymous data leaks

renzomacar/supabase-rls-scanner

Probes a public Supabase project for Row-Level-Security misconfigurations. Detects tables readable by the anon key — the #1 cause of Supabase data leaks. Returns row counts + a curl reproducer per finding. Counts only, no row data exfiltrated. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Nhost Security Scanner — Find public Hasura GraphQL leaks

renzomacar/nhost-security-scanner

Probes a public Nhost project's Hasura GraphQL endpoint for tables readable by anon role. Detects the #1 cause of Nhost data leaks: forgotten Hasura permission policies. Returns table-level counts + curl reproducer. Counts only. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

Hasura Security Scanner — anon-role GraphQL leaks

renzomacar/hasura-security-scanner

Probes a public Hasura GraphQL endpoint for tables readable by the anon role. Works for self-hosted, Hasura Cloud, and frameworks on top. Counts only. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno

YouTube Channel & Video Scraper - Stats, Views, Trending

renzomacar/youtube-scraper

Extract data from YouTube channels and individual videos. Get subscriber counts, video titles, view counts, like counts, comment counts, publish dates, descriptions, tags, and thumbnails. Ideal for influencer research, content ana -- By Renzo Madueno, https://rotatepilot.com/cadet-programs-2026

Renzo Madueno

Google Maps Business Scraper - Local Leads, Phones, Emails

renzomacar/google-maps-businesses

Scrape Google Maps search results at scale. Extract business names, addresses, phone numbers, websites, ratings, review counts, opening hours, and GPS coordinates for any search query and location. Perfect for lead gene -- By Renzo Madueno, https://rotatepilot.com/airline-salary/british-airways

Renzo Madueno

Firebase Firestore Security Audit - Find if-true Leaks Free

renzomacar/firebase-security-auditor

Static analyzer for firestore.rules + live anonymous probe. Detects 'if true' wide-open rules, expired test-mode, auth-only patterns, open storage. HTML report with paste-ready fix snippets. Free demo mode if you don't have rules handy. -- By Renzo Madueno, https://rotatepilot.com

Renzo Madueno