How to not vibecode yourself in the foot
So, you want to use AI to code stuff, but you’re kinda scared about doing something really really wrong? From a software engineer to you, 10 tips so that you don’t die by ai-generated bugs
Before we start, my credentials: I’m a software engineer at a big tech company that uses AI coding tools like Cursor and Copilot. I write production code daily, deal with real-world incidents, and yes, I do this for a living.
AI is amazing — it unlocks things you never thought you could do. But it’s also a dangerous tool. So, BEWARE! Here’s how to vibecode1 without setting your laptop (or career) on fire — straight from someone in the trenches.
Don’t Use It for Important Stuff
I’m not here to yell at you or gatekeep software. AI coding tools are here, people will use them, and honestly, it’s great to see coding becoming more accessible.
That said, vibecoding is a loaded gun—and not a tiny one. There’s a reason software engineers spend years getting told “no, not like that” by more experienced peers. It’s easier to write bad code than good code, and AI can only help so much.
So here’s lesson one: don’t vibecode anything important. I know, I know: you want to build an app, launch a startup, make millions. But that’s 1) a gambler’s fantasy and 2) incredibly risky. If you’re dealing with money, private data, or anything sensitive, just don’t. Even experienced engineers mess this up, and when they do, it’s catastrophic.
Security Is Not a Vibe
I know, you’re tired of this warning already. But I’m repeating myself because you are not as safe online as you think. Even if you’re careful, you don’t have the knowledge to spot every trap.
Rule of thumb: If it touches money, double-check it. Then triple-check it. Then ask yourself if you even need it in the first place. Same for private data. And connecting to the internet.
But advice is boring—examples are scarier.
AI will happily serve you security vulnerabilities.
A developer spun up a website using Copilot. It looked great, worked fine… until he checked the code and found zero protection against SQL injections. Had he launched it, hackers would have cracked it in under an hour. When he asked ChatGPT to fix it, it did – but he knew what to ask for. You, dear reader, don’t know what a SQL injection is2, why it’s bad3, or if ChatGPT actually fixed it4.Vibecoding made this one guy’s project an all-you-can-steal buffet. He shared his AI-coded app, launched it on Twitter, and within hours:
Users bypassed his subscription paywall (free pro features!)
Bots maxed out his API keys (costing him $$$)
Hackers corrupted his database (more $$$)
He thought he was unlucky, and that one bad guy found his stuff. He wasn’t. The internet is full of people who will steal your money the second you give them an opening. You are never safe, and there’s thousands of them.
If you don’t understand how you’re deploying your project, how your database authentication works, or who has access to what, you’re already compromised.
Senior AI “entrepreneurs” will tell you, “Oh, just ask ChatGPT to write secure code.” But AI is a professional liar – it hallucinates, bullshits, and will cheerfully assure you that your security holes are fine.
There’s a massive gap between “it works on my computer” and “it’s safe on the internet.” You cannot protect what you don’t understand, and AI is building things you don’t understand. Q.E.D.5
Now, if you’re following my advice, here are some tips to make the process go a bit smoother.
“It compiles” isn’t the same as “it works”
Compilation is the process of transforming the code you wrote in a programming language into another language, one that is closer to the machine and not really meant for humans to read. When code compiles, it simply means that the syntax is correct – the structure of the code follows the rules of the language, and the computer can process it.
However, just because code compiles does not mean that it works. Code that works is code that behaves as expected – it produces the correct results, does what you wanted it to, handles inputs properly, and doesn’t break under real-world conditions. AI-generated code will often compile just fine, but that does not mean it’ll work when time comes to ship it.
AI does not understand intent. It will generate something that follows your request literally, but it will not grasp the deeper logic of what you meant. Despite the name, AI coding tools do not “think” or “understand” – they just predict plausible-looking text. The illusion is deep, but you will find the bugs in the matrix, and it won’t quite do what you want.
To avoid this, it is important to be as precise as possible when describing what you want. Instead of just asking for code that performs a task, describe the expected behavior in detail. AI needs clear instructions, not assumptions.
Debugging Is 80% of the Work—And AI Makes It Harder
If you’re new to coding, just getting a few lines to compile might feel like a huge victory. But any software engineer will tell you: that’s only the first step. The real battle is making sure the code actually works, and that means debugging.
Debugging AI-generated code is even trickier because AI doesn’t write code the way a human would. A human gradually builds an understanding of their own code, adding comments, structuring it logically, and keeping track of decisions. AI on the other hand, generates code in disconnected chunks, often without a clear structure. This makes it much harder to figure out where things go wrong.
Write tests! AI is actually perfect for that
Testing your application manually is a pain. If you're building a website, you have to start the server, spin up the database, load the app, and then click around endlessly just to see if one tiny function works. Luckily, there's a better way: automated testing. Thankfully, this is a format where AI truly shines!
Tests are little bits of code that don’t run in production but can be executed on their own to verify that everything behaves as expected. There are two main types you’ll want to write: unit tests and end-to-end (e2e) tests.
Unit tests focus on small, isolated pieces of your code — usually individual functions. AI is absurdly good at generating them. The trick is to start by making sure the AI understands what the function is supposed to do. Before generating tests, prompt it with:
"Write a comment that documents the behavior of this function."
Once the AI summarizes it correctly, you can then ask:
"Generate unit tests for this function, covering all edge cases."
The AI will handle the tedious work of writing the tests; you just need to double-check that the expected results actually match reality. A good rule of thumb: if a function takes more than one sentence to explain, write a test for it.
End-to-end tests take a step back and look at your app as a whole, mimicking real user behavior. Instead of testing individual functions, they check the entire workflow. For example:
Filling out a signup form, then
Submitting the form, then
Logging in with the newly created account, END
E2E tests don’t care about what happens inside the code at each step; they just make sure the feature works from start to finish.
Each type of test does something different, and they are both useful for a healthy app. Unit tests are great for pinpointing where something is broken. They make debugging manageable since you're only working with small chunks of code. But even if all your unit tests pass, the interactions between components can still fail—this is where E2E tests save you.
Testing is something most software engineers hate to do, because you have to be so precise to test all the edge cases, all the weird stuff, and it takes a lot of effort to make sure it’s written correctly. It one of the only steps where I truly see the value as a professional – so take advantage of it!
Learn What’s Under the Hood
Let’s say you’ve done everything by the book: you’ve used AI to write your code, you’ve written tests, and everything seems to be working fine. Then, one day, your app goes viral. A flood of users sign up, and suddenly… everything grinds to a halt.
Why? Because deep in your code, there’s a function that loops over an array (a list of things with certain properties) twice in a nested fashion6. When you were testing, the array had maybe 10 items. Now that thousands of users are sending data, that same function is choking on millions of entries. Your app isn’t just slow – it’s unusable.
This is the kind of issue that tests won’t catch. Your function still works perfectly… just at a scale too small to reveal the disaster waiting to happen. And it’s not just performance. Concurrency issues in databases7, memory leaks8 – these problems only show up under real-world conditions, and if you don’t know what to look for, they’ll blindside you.
AI can help, but you need to know what to ask. To avoid these pitfalls, you need to learn enough to ask the right questions. AI is great at answering things, but only if you feed it the right prompts.
These are just the first layer of questions. The real key is to keep asking "why?" Don’t stop at an AI-generated answer—make it name the concept, tool, or algorithm so you can look it up yourself. This is how you go from vibecoding to actually understanding what’s happening under the hood.
Last bit of advice: don’t ask coding AIs like Cursor – they’re not meant for it. Use a general AI like ChatGPT, but always double-check. AI is confident, but confidence isn’t the same as correctness
Read Every Line of Code, VERY Carefully
At this point, you’ve generated code, made sure it compiles, tested and debugged it until it behaves correctly, and asked AI what’s happening under the hood. Now it’s time for ⭐ code review ⭐, where you take a critical look at everything and make sure you haven’t made a catastrophic mistake.
The challenge? Reading is passive. Writing forces you to think through every step, but when AI does the writing, you lose the deep understanding that comes from struggling through it yourself. Software engineers deal with this all the time when reviewing each other’s code, but they have safeguards:
Code review limits (e.g., “no more than 1,000 lines at a time”).
Detailed explanations of what changed and why.
Colleagues who (hopefully) aren’t trying to sneak nonsense past them.
Personally, I do the opposite of what I just described: I write the feature myself first, then ask AI to summarize it, suggest edge cases, and help me test it. If I let AI write the whole thing, I fall into passive mode and inevitably miss major problems.
I’m not saying this to gloat – it’s just that writing a clear prompt for AI often requires as much effort – if not more! – as writing the code itself. AI is most useful when it’s handling tedious autocomplete-style work, not when it’s taking wild guesses based on a vague request.
Since you don’t have the option of writing code from scratch, you have to be extra careful when reviewing AI’s output. Read every line. Think critically. Try to understand all the implications. If something looks weird, assume it’s wrong until proven otherwise.
Git Is Your Friend—Version Control Is a Must
Ever heard of version control? Think of it like Google Docs' version history, but for code (and way more powerful). The industry standard is git, and while it can get complicated, for a solo project you only need a few basic commands:
commit – Saves your work as a snapshot. Think of it as a "checkpoint" in a video game. If your code is working (or at least kinda working), commit it.
log – Shows a history of your commits. Useful when you realize, "Wait, when did everything break?"
revert – rolls back a specific commit. This is your undo button—if you commit often, this will take you back to the last stable version. It’s easier than ctrl-z, because lines of code are often interdependent, so you need to change a bunch of files at once.
push / pull – If you’re saving your code online (like on GitHub), these commands sync it with the cloud. Optional if you’re working locally, but a lifesaver if your laptop dies.
That’s all you really need for a basic project. No need to worry about other stuff you’ll find in tutorials like branches, merges, or rebases, unless you start collaborating with others.
But why do I need this? Well, one of AI’s worst habits is chaotic, unnecessary changes. Ask it to tweak one file, and suddenly it’s “helpfully” rewriting half your codebase. Now you're stuck trying to untangle the mess.
On top of that, software development is iterative, which means you often have to undo or redo things to make new stuff work. git makes all of this easy as cake! It also forces you to save a copy of your work in the cloud, so that when your macbook finally dies, you won’t cry too many tears (only $3,000, sorry).
And when Git inevitably confuses you (it confuses everyone), here’s a lifeline: Oh Shit, Git!?!
You will NOT become a software engineer by vibecoding
I know everyone is shilling their ai-training-become-rich-startup-money course right now, but don’t fall for that. Software engineering is a complex thing to master, and it takes time, effort, and education to get there. You can definitely get yourself to a decent level on your own, but it won’t be by vibecoding.
Don’t pretend, or you will be mocked. We (software engs) aren’t making fun of Melinda in sociology who’s using AI to code nice visualisations of her data! She’s using a tool to enhance her work, double checking the results with her professional knowledge and making sure it’s all safe and good. No, but we are laughing at 20 yo college student Kevin who thinks he’s better than everyone else because he coded a (broken, unsafe, unmaintainable) app over the week-end, checkmate old nerds.
If you’re serious about learning, then get yourself on a university e-course9 and follow those lectures. It will teach you all those fundamentals I was talking about. Then practice, a lot, and mostly on your own. Write your code first, and then ask the AI about it – either to double check, or when you’re stuck. But all in all, use your own brain and your own thinking capabilities to build those problem-solving muscles.
Ask for help before putting anything on the internet
If your app connects to the internet in any way, you need to have it audited by a professional. No exceptions. I know it’s expensive. I know they’ll tell you to change a ton of things. I know it’s hard to even find someone competent and trustworthy to do it. But skipping this step is like leaving your front door wide open and hoping no one walks in.
A proper security audit will save you money, lawsuits, and sheer existential dread down the line. If you can’t afford one, then—harsh truth—you can’t afford to launch an app either.
Now, there’s one tiny problem. Professionals don’t want to touch AI-generated spaghetti code. Why? Because it’s usually incomprehensible, poorly structured, and riddled with subtle issues that make it a nightmare to review. That means if you vibecode your app, expect to pay a premium to get it audited—if you can even find someone willing to do it.
That’s the price of vibecoding safely. Either invest in security now, or get ready to learn the hard way when a botnet makes your app its new home.
Vibecode with Joy (and a Little Caution)
Congratulations! You now have the power to create all sorts of things—little tools, silly automations, weird experiments that make your life easier or just make you laugh. Coding, even vibecoding, is magic. It turns ideas into reality. It’s fun. It’s powerful. And now, it’s within your reach.
So go wild! Build things, break things, learn things. Enjoy the process. Just… maybe don’t put anything on the internet unless you’re absolutely sure it won’t get you hacked. Your local machine is a great playground. The web? That’s a battlefield.
Vibecode responsibly, and have fun!
Any questions? Ask me below or by replying to this email (it’s private, only I can see anything). I’m happy to help <3
Thank you to and for telling me to write this, and to for the feedback!
Vibecoding: Writing code using an AI language model without prior programming knowledge or a deep understanding of the underlying concepts. Basically only communicating with the AI in English until it generates something you like
It’s when you use tricks to send malicious database code through your browser, in such a way that it will get executed by the server behind the app
Usually used to get access to said database so you can destroy it or steal the info inside it
That’s a much bigger problem than I have space for here lol
French word of the day: we use CQFD for Ce qu’il fallait démontrer – ie what was meant to be proven. I like it a lot better than weird latin honestly ;)
Nested means that you make loops within loops. For example: for each element a of list A -> check if for each element b of list B -> a equals b.
If A has 30 elements, B has 20, you already have to do 600 operations! And those are rookies numbers, it can get really big really fast (and therefore really slow to complete).
For example, if you have a counter for the number of people who liked a post. Users Bob and Alice both read the value from the database when they look at the page, so that it prints at the bottom of the post: 4 people liked it. Then Bob likes the post, so he tells the database it was liked 5 times! Now what happens if Alice also likes the post? She will also send the value 5, because she’s operating on outdated numbers!
When you don’t manage the memory of your app well. Sometimes, you use variables, and then don’t need them anymore. Depending on the language, you might have to tell the code explicitly that you want them to be discarded. If you forget, the variable will stay in the memory. Problem: your server where the app runs is limited in memory. If too many unused variables stay there, it won’t have any free space left to work with and it will crash!
CS50 from Harvard is often a good entrypoint, and it’s free!
This was fascinating despite not having any intentions to vibecode 😄
Love how accessible you made this post for beginners!
You know, the way you feel about vibecoding is how I’ve been feeling about software engineers (and billionaires with no qualifications) getting interested in manufacturing and making hardware or robots. I’ve been meaning to write a post about why innovation in manufacturing is much harder than in tech. The difference is just that people are gonna die if software engineers program hardware the same way they do software or (oh the horrors) start letting AI program robots and production machines. That’s become even more scary to me after reading this post and learning how chaotic AI programming is.
I’ve recently seen David Perrell talk about a factory where the production robots learn from each other and change their code when they learn something new and just thought ‘they better not be doing this because that sounds insanely dangerous’ but I think it represents well how different the manufacturing world is from people’s perception of it. And that seems to be similar in software.
Now I’m worried that executives with no clue will decide to suddenly let AI write all the code without knowing the dangers and the whole internet is gonna become mayhem 😅
As someone who simultaneously wants to stick her head in the sand and hope AI goes away while also thinking hmm I need to sign up for Cursor, I learned so much from this post! You made a technically complex topic really accessible. Thank you!