Overview
Finds sites deployed on Bolt.host via Google dork, then scrapes each app's bundle for exposed secrets and open endpoints. Catches the common AI-generated-app mistakes that surfaced throughout 2025-2026. Outputs a report that bolt-app creators can opt into for free.
Trigger
Cron schedule (daily at 2 AM UTC)
Schedule
Daily at 2 AM UTC
Workflow Steps
Discover Bolt.host apps
Scavio Google search for site:*.bolt.host to enumerate deployed applications.
Fetch bundle HTML
Request each app's index HTML and extract inline script sources.
Scan for secret patterns
Regex for sk-, pk-, OpenAI, Stripe, and Supabase key patterns in bundles.
Check CORS headers
HEAD request to /api/* paths and inspect Access-Control-Allow-Origin.
Score severity
Critical (live API key exposed), High (open CORS + auth), Medium (no CSP).
Post report to Discord
Daily summary with anonymized counts and opt-in links for creators.
Python Implementation
import os, requests, re
API_KEY = os.environ["SCAVIO_API_KEY"]
H = {"x-api-key": API_KEY}
SECRET_PATTERNS = [r"sk-[a-zA-Z0-9]{32,}", r"pk_live_[a-zA-Z0-9]{24,}"]
def discover():
r = requests.post("https://api.scavio.dev/api/v1/search",
headers=H, json={"query": "site:bolt.host"}).json()
return [x["link"] for x in r.get("organic_results", [])]
def scan(url):
html = requests.get(url, timeout=10).text
hits = []
for p in SECRET_PATTERNS:
hits.extend(re.findall(p, html))
return hits
for u in discover():
secrets = scan(u)
if secrets: print(u, len(secrets))JavaScript Implementation
const API_KEY = process.env.SCAVIO_API_KEY;
const H = { "x-api-key": API_KEY, "content-type": "application/json" };
const PATTERNS = [/sk-[a-zA-Z0-9]{32,}/g, /pk_live_[a-zA-Z0-9]{24,}/g];
async function discover() {
const r = await fetch("https://api.scavio.dev/api/v1/search", {
method: "POST", headers: H,
body: JSON.stringify({ query: "site:bolt.host" })
}).then(r => r.json());
return (r.organic_results || []).map(x => x.link);
}
async function scan(url) {
const html = await fetch(url).then(r => r.text());
return PATTERNS.flatMap(p => [...html.matchAll(p)].map(m => m[0]));
}
for (const u of await discover()) {
const s = await scan(u);
if (s.length) console.log(u, s.length);
}Platforms Used
Web search with knowledge graph, PAA, and AI overviews