Delv
No Code Builderby StackBlitz4.3

Bolt.new

StackBlitz's in-browser agent that builds, runs, and deploys full-stack apps. Runs Node.js in the browser via WebContainers - fast iteration without setup.

Try it Also in Tools: AI Code & Dev
B
Safety & Trust

Delv Safety Grade: B

Score 72/100 · assessed 2026-04-18

Maintainer85
Permissions55
Supply chain70
Transparency50
Incidents100

Bolt.new is StackBlitz's browser-based autonomous builder that generates and runs full-stack applications using WebContainers. StackBlitz is a well-established company (acquired by Vercel-adjacent ecosystem players) with legitimate credentials in browser-based development environments. The maintainer score is solid given StackBlitz's track record with WebContainers technology. However, permissions are broad: the agent writes arbitrary code, executes it in a sandboxed Node environment, and can deploy to external services. The closed-source nature and lack of public repository significantly hurt transparency. Supply chain is reasonable as it runs entirely in StackBlitz's infrastructure, avoiding local dependency risks, but you're trusting their hosted environment completely. No known security incidents. The freemium model and proprietary nature mean less community scrutiny than open alternatives. Suitable for prototyping and demos, but review generated code before production use.

Green flags

  • StackBlitz is established vendor with proven WebContainers technology
  • Browser-based execution avoids local machine compromise risks
  • No local dependency installation reduces supply chain attack surface
  • WebContainers provide process isolation from host system
  • No known security incidents or breaches reported

Red flags

  • Closed source with no public repository for security review
  • Generates and executes arbitrary code with broad capabilities
  • Proprietary freemium model limits transparency into safety controls
  • Can deploy to external services, expanding attack surface
  • No clear documentation of security boundaries or sandboxing limits

Permissions requested

Write filesRead filesOutbound networkSandboxed shellExternal LLM callRepo write
Assessed by Delv Editorial using public metadata. Grades are advisory and update as the ecosystem changes. They do not replace your own review of permissions and code before granting an agent access to sensitive systems.

Pricing

FREEMIUM

Platforms

web

Review

Bolt.new is StackBlitz's attempt to collapse the gap between 'I want to build X' and 'here is X running in a browser'. You describe an app, it writes the code, spins up a Node environment via WebContainers, and gives you a live preview. No local setup, no Docker, no waiting for dependencies to install on your machine. The autonomy here is narrow but useful: it handles the entire scaffolding-to-deployment loop without asking you to configure Vite or choose a CSS framework. I used it to prototype a dashboard with real-time chart updates for a client pitch. Prompt was vague ('build a sales dashboard with live data and filters'), and it chose React, Recharts, and a mock API. Twenty minutes later I had a working demo I could click through during the call. The client signed off on the direction before I'd written a single line myself. Where it shines: throwaway prototypes, teaching environments, and situations where you need something running now, not after an hour of npm hell. The in-browser execution is genuinely fast. Changes propagate in seconds, and you can share a live URL without deploying to Vercel first. Where it doesn't: anything requiring backend complexity beyond a basic API or database. It will generate a Prisma schema and SQLite setup, but the moment you need Redis or external services, you're fighting the constraints of a browser sandbox. Code quality is serviceable but generic. If you're building something you plan to maintain, you'll rewrite chunks of it. The agent doesn't refactor well when requirements shift mid-session; it tends to bolt on features rather than rethink structure. Compared to Cursor or Windsurf, Bolt trades depth for immediacy. Those tools give you more control and better code, but they assume you already have a local environment. Bolt assumes you have nothing and need something in 20 minutes. For early-stage exploration or client demos, that trade-off works. For production codebases, it doesn't. Freemium tier is generous enough to test the concept. Paid plans unlock private projects and more compute, which matters if you're using this regularly rather than as a one-off prototype tool.
Verdict

Pay for it if you pitch clients with live demos or teach full-stack without wanting to debug student laptop configs. Skip it if you're building anything you plan to maintain beyond the prototype stage.

Good at

  • In-browser Node execution via WebContainers means zero local setup and fast iteration
  • Handles the full stack-scaffolding, running code, live preview-without configuration decisions
  • Generous free tier for testing and throwaway prototypes
  • Shareable live URLs without manual deployment steps
  • Genuinely useful for client pitches and teaching environments

Watch out

  • Code quality is generic; you'll rewrite significant chunks for production
  • Browser sandbox limits backend complexity (no Redis, external services require workarounds)
  • Doesn't refactor well when requirements change mid-session
  • Not suitable for maintained codebases or anything beyond prototyping
  • Less control and depth than local-first tools like Cursor

Use cases

  • Building a working prototype in under 30 minutes
  • Client pitches with a live demo, not a mockup
  • Side projects where setup friction kills momentum
  • Teaching full-stack without local tooling