My guidelines for vibe-coding
If you do not know what you are running, you shouldn't be running it.
Vibe coding is great for prototypes. Skip the cost of getting designers or developers to build something you've been thinking about. But if you want to run something in production, it should not be vibe-coded. You do not understand what it does. You do not know all the systems it depends upon. You do not know what it does with your API keys, with your data, or with your machines.
Looking through the codebases generated by vibe-coders, I’ve found numerous problems: severely out of date dependencies, logging of sensitive information / API keys, unnecessary amounts of code, bizarre API calls. These problems exist in human code too, it’s natural. But vibe-coding is at a different scale.
Vibe-coding is the equivalent of running random programs you found on the internet. You don’t know who created it, you don’t have any kind of protection from what it does. If it breaks something, if it steals something, it is your fault. You are the human. AI can’t take responsibility for anything. But you, as a human, must.
Imagine you are walking through an airport. You see luggage without an owner. You don’t know what’s in it. It’s probably just clothes. But it might be illegal weapons, drugs, etc. Would you be willing to take it through the airport and the rest of your journey? Would you be willing to take it to your family home?
I would assume the answer is no. After all, airports remind people not to leave their luggage alone. If you see some luggage, you’re meant to report it to the nearest security staff.
You, as a vibe-coder, don’t know what luggage AI is giving you. You might not even know how to recognise signs of suspicion. You definitely aren't equipped to investigate: the luggage is locked, and you don’t have the key required to open it. The key is knowledge of software engineering. A key that software engineers have spent years earning.
My objective advice:
Treat AI generated code as if a complete stranger wrote it. After all, the training material has been written by a stranger. Thousands, maybe millions of them.
Have 2 human software engineers review the code.
Do not give AI API keys. You don’t know what servers it will give those API keys to.
Limit the number of libraries it uses those that have been vetted and approved.
Run AI generated code inside of a container (e.g docker) to reduce the possible attack vectors. Do not run it natively on device you wish to protect.
Inform those in your company responsible for security, GDPR / data protection, and legal.
Establish company-wide prompt regulations for AI tools.
Compared to AI-assisted code, these guidelines are a little more strict. AI-assisted coding tends to have a human at the wheel. Vibe-coding only has the human as a passenger.
AI’s given us a great power. We must use it wisely.
