Bockdev

Appearance

Mun Bock Ho profile picture Mun Bock Ho

The Danger of Plausible-Looking Code: The Real Cost of Vibe Coding

Learn why AI-generated code that looks correct can silently break your app, expose security vulnerabilities, and accumulate hidden technical debt -- and how to code responsibly with AI tools.

AI-generated code that looks correct can silently break your app.

The Danger of Plausible-Looking Code: The Real Cost of Vibe Coding

You paste a prompt into an AI tool. It spits out 50 lines of clean, well-formatted code. It looks right. It runs without errors. You ship it.

Three weeks later, a bug report comes in. Then another. Then your users start losing data. You trace it back to that one function the AI wrote -- the one that looked totally fine, but silently failed under certain conditions that never showed up in your quick test.

This is the real danger of "vibe coding." Not that AI writes bad code. The danger is that it writes plausible code -- code that passes the eye test, runs in the happy path, and hides its flaws until the worst possible moment.

What Is Vibe Coding?

Vibe coding means relying on AI to generate code based on a rough description, then accepting the output with little or no review. You go by the "vibe" -- if it looks right and runs, you ship it.

The term was popularized by Andrej Karpathy, who described using AI to generate code without deeply understanding every line. It sounds efficient. For throwaway scripts or rapid prototypes, it can be. But in production systems, the hidden costs stack up fast.

Why Plausible-Looking Code Is More Dangerous Than Broken Code

Broken code fails loudly. You see an error, you fix it, you move on.

Plausible-looking code is different. It passes code review because it looks like good code. It passes your tests because you only tested the happy path. It fails silently -- or fails only under specific conditions you never anticipated.

Here is a simple example. Suppose you ask an AI to write a function that calculates a discount:

python
def apply_discount(price, discount_pct):
    return price - (price * discount_pct / 100)

Looks fine. But what if discount_pct is None? What if it is negative? What if price is zero?

python
apply_discount(100, None)   # TypeError -- crashes
apply_discount(100, -10)    # Returns 110 -- silently wrong
apply_discount(0, 50)       # Returns 0 -- fine, but is this intended?

A human writing this from scratch would likely think through edge cases. An AI generating it from a one-line prompt probably will not -- unless you ask it to.

The Most Common Risks of Vibe Coding

1. Security Vulnerabilities That Look Like Features

AI models are trained on a massive amount of public code -- including bad code. They can reproduce insecure patterns confidently.

A common example is SQL injection via string formatting:

python
# AI-generated -- looks fine, dangerously wrong
def get_user(username):
    query = f"SELECT * FROM users WHERE username = '{username}'"
    return db.execute(query)

The fix is parameterized queries:

python
# Safe version
def get_user(username):
    query = "SELECT * FROM users WHERE username = ?"
    return db.execute(query, (username,))

The first version works perfectly until someone enters ' OR '1'='1 as their username. The AI did not write broken code. It wrote dangerous code that runs just fine.

2. Silent Logic Errors

These are bugs that produce no error but produce wrong results. They are the hardest to catch and the most costly in production.

javascript
// AI-generated date comparison -- seems fine
function isExpired(expiryDate) {
  return new Date(expiryDate) < new Date();
}

This looks correct. But new Date("2024-01-15") is parsed as UTC midnight, while new Date() is local time. In some timezones, items will appear expired a day early. No crash. No error. Just wrong data.

3. Hallucinated APIs and Libraries

AI tools sometimes reference functions, methods, or entire libraries that do not exist -- or did not exist at the time the model was trained. The code looks real, compiles, and then throws a runtime error the first time that code path is hit.

javascript
// AI might suggest this -- but .groupByKey() does not exist in standard JS
const grouped = myArray.groupByKey('category');

Always verify that referenced APIs actually exist in the version of the library you are using.

4. Accumulating Technical Debt

Each piece of vibe-coded output that ships without review adds to your technical debt. The code may work today, but it is often:

  • Harder to extend because it was not designed for your actual system
  • Missing error handling
  • Not following your team's conventions
  • Overly verbose or missing important abstractions

This debt compounds. Six months later, you are maintaining code nobody fully understands.

Vibe Coding vs. AI-Assisted Coding

These are not the same thing. The difference is review and ownership.

ApproachDescriptionRisk Level
Vibe CodingAccept AI output with little or no reviewHigh
AI-Assisted CodingUse AI as a starting point, review carefullyLow to Medium
Prompt-and-ForgetShip without testing edge casesVery High
AI + Tests + ReviewGenerate, test, understand, then shipLow

The tool is not the problem. The workflow is.

How to Use AI Code Generation Responsibly

Always Define the Contract First

Before you ask AI to write a function, write the function signature and docstring yourself. This forces you to think about inputs, outputs, and edge cases -- before you see generated code that might anchor your thinking.

python
def apply_discount(price: float, discount_pct: float) -> float:
    """
    Apply a percentage discount to a price.

    Args:
        price: Must be >= 0
        discount_pct: Must be between 0 and 100 inclusive

    Returns:
        Discounted price, never negative

    Raises:
        ValueError: If inputs are out of range
    """

Now ask the AI to implement this. The output will be far more reliable.

Write Tests Before You Ship

At minimum, test edge cases -- not just the happy path:

python
def test_apply_discount():
    assert apply_discount(100, 10) == 90.0       # normal case
    assert apply_discount(100, 0) == 100.0        # zero discount
    assert apply_discount(100, 100) == 0.0        # full discount
    assert apply_discount(0, 50) == 0.0           # zero price

    with pytest.raises(ValueError):
        apply_discount(100, -10)                  # negative discount

    with pytest.raises(ValueError):
        apply_discount(-5, 10)                    # negative price

If the AI-generated code cannot pass these tests, it is not ready to ship.

Ask the AI to Critique Its Own Output

This is underused. After generating code, ask: "What are the potential edge cases or failure modes in this code?" AI tools are often quite good at identifying their own mistakes when prompted directly.

Keep Generated Code Isolated and Reviewable

Structure your project so AI-generated code is easy to identify and review. One approach is to keep it in clearly named files during development:

src/
  services/
    payment.py          # human-written, stable
    discount.py         # human-written, stable
  ai_generated/
    discount_util.py    # AI draft -- needs review
    formatter.py        # AI draft -- needs review

Review and promote files out of ai_generated/ only after proper testing and understanding.

When Vibe Coding Is Actually Fine

Not every context is production code. There are legitimate cases where generating and shipping quickly makes sense:

  • Personal scripts you run once
  • Throwaway prototypes to test an idea
  • Data exploration in a Jupyter notebook
  • Boilerplate you will heavily modify anyway

The key question is: what is the cost if this code silently fails? If the answer is "nothing important," vibe away. If the answer involves user data, money, or security -- slow down.

Q&A

1. Is vibe coding always bad?

No. For low-stakes, personal, or throwaway code, it is perfectly fine. The risk increases significantly when you are shipping to production or handling sensitive data.

2. Can AI-generated code ever be production-ready without review?

Rarely, and only for very simple, well-understood tasks with comprehensive automated tests already in place. Even then, someone needs to understand what the code does.

3. Why does AI generate plausible-looking wrong code instead of just failing?

AI models predict the next most likely token based on training data. They are optimizing for code that looks correct, not code that is correct. They have no awareness of your specific system, data, or edge cases.

4. What is the most dangerous type of AI-generated code?

Code that handles authentication, authorization, data validation, or financial calculations. These are areas where subtle bugs have serious consequences and may not surface until they are exploited.

5. How do I know if I understand the AI-generated code well enough?

A good test: can you explain what every line does, what inputs could break it, and how it would behave in failure scenarios? If not, it is not ready to ship.

6. Does using a better AI model reduce the risk?

Better models produce better code on average, but they still hallucinate, miss edge cases, and reproduce insecure patterns. The review process remains essential regardless of the model.

7. Should I tell my team when code was AI-generated?

Yes. It helps reviewers know where to focus their attention. Some teams add a comment or use a naming convention to flag AI-generated sections during review.

8. What is a simple first step to code more safely with AI?

Write your function signature and tests first. Then generate the implementation. Then verify the implementation passes your tests. This one change eliminates a large percentage of the risk.

9. How does vibe coding affect team codebases long-term?

It creates code that nobody fully owns or understands. Over time, this makes refactoring harder, onboarding slower, and bugs more frequent. Technical debt from vibe coding tends to be diffuse and hard to measure until it becomes critical.

10. Are there tools that help review AI-generated code?

Yes. Static analyzers (Bandit for Python, ESLint for JavaScript), security scanners (Semgrep, Snyk), and type checkers (mypy, TypeScript) all catch categories of errors that visually plausible code can hide. Use them as part of your pipeline.

My SaaS
Acluebox
Build modular and reusable system prompts with my SaaS, Acluebox. Also, free prompt template generators there.

References

Last updated:

Made with ❤️ by Mun Bock Ho

Copyright ©️ 2026