This week in Replit

Agent 3 is here! 🤖 Our AI is now more autonomous, reliable, and faster. It can test your app in a real browser, find bugs, and automatically fix them for you. 1/ Tackle bigger projects with longer run times. Agent 3 can now work autonomously for up to 200 minutes, with automated testing so you can track its progress.

It's finally here!

You can now customize Agent in Replit. Here's how to get started 👇 A file called 'replit.​md' now gets created in every Agent project. The purpose of replit.​md is twofold:

1/ Provide a concise summary of the project for Agent to reference as it builds
2/ Allow the user (you) to provide custom instructions to agent.

Here are some things you can customize:

you're thinking about vibe coding wrong

most of us approach vibe coding the same way we do other tools: like deterministic systems. press button and get result.

here's why that's wrong and how to get around it: 1/ We know AI is non-deterministic—that means that the same prompt can get different results.

On March 20th, 2025, my colleague and I discovered a critical vulnerability in Lovable's implementation of Row Level Security (RLS) policies.

Applications developed using its platform often lack secure RLS configurations, allowing unauthorized actors to access sensitive user data and inject malicious data.

Lovable applications, being primarily client-driven, rely on external services for backend operations like authentication and data storage. This architecture shifts the security burden to the implementor of the application.

However, misaligned RLS policies between the client-side logic and backend enforcement frequently result in vulnerabilities, where attackers can bypass frontend controls to directly access or modify data.

Lovable later introduced a "security scanner," but it merely checks for the existence of any RLS policy, not its correctness or alignment with application logic. This provides a false sense of security, failing to detect the misconfigurations that expose data. INITIAL DISCOVERY & SCOPE ASSESSMENT

The vulnerability was first identified on March 20th, 2025, while examining Linkable, a Lovable-built site for generating websites from LinkedIn profiles.

An inspection of network requests revealed that modifying a query granted access to all data in the project's "users" table. After we highlighted this on a reply on Lovable's Twitter account, Lovable denied the issue, then deleted their tweets and the site. Linkable was later reinstated with a $2 fee.

The core issue was not an exposed public API key as we initially thought (Supabase provides public `anon` keys by design) but the absent RLS configuration. This allowed unrestricted data retrieval from the exposed table (sample in Appendix A1).

To determine if this was an isolated incident, we investigated other Lovable-created sites, starting with those on Lovable Launched—a showcase presumably featuring polished projects.

Access to the list of these sites was gained by manipulating an endpoint on the Launched site itself, which also lacked RLS.

We then developed a script to visit the homepage of each Launched site, capture all external network requests, and filter for those made to external sources.

For each identified request, the script attempted to modify the request to select all data from the associated endpoint—an operation equivalent to `SELECT *`, which RLS would typically prevent.

Announcing our newest Replit integration: Notion 1/ Now you can build Notion-powered apps in minutes with Replit.

Whether you're using Replit Agent, Assistant, or other AI tools, clear communication is key.

Effective prompting isn't magic; it's about structure, clarity, and iteration.

Here are 10 principles to guide your AI interactions: Checkpoint: Build iteratively. Break large goals into smaller, testable steps. Use features like Replit Agent's Checkpoints to save progress and experiment safely.

Level up your prompts: 5 prompt examples & explanations for tools like Replit Agent and Assistant.

The quality of your prompts directly impacts the results.

Vague requests lead to vague outcomes. Clear, specific instructions unlock the AI's full potential. [ 🧵 ] Bad: "Fix my code."

Good: "My script fails on user input validation. Debug the validate_input function. Error: [details]"

Why it works: Specificity! Pinpoint the problem area & provide

How one creator saved $1,900 by moving to a custom learning platform built on Replit.

A thread on turning ideas into apps, fast: Brian was paying $1,900/year for Kajabi to host his online course—but wasn't using half the features.

So he built his own platform on Replit in just 3 hours.

The result? Total ownership, massive savings, and a better user experience.

This week in Replit:

1/ Agent and Assistant are now FREE to try! Get your first 10 checkpoints on us - yes, even if you're already on Core. Head to replit​.com to give it a shot.

2/ Replit Mobile has been completely rebuilt from the ground up! Faster, smoother creation on the go. Try it at replit​.com/mobile

... (cont) 3/ App cover pages got a glow-up! Now featuring your Agent prompts and a more dev-friendly layout to showcase your work.