promptgarden ๐ŸŒฑ
๐ŸŒ ES
Guideโ—โ—โ—‹3 min ยท +40 XP

Security in Vibe Coding

AI-generated code comes with typical vulnerabilities. A short checklist helps catch them early.

What's the risk?

"Vibe coding" - letting an AI write most of the code without reviewing every line yourself - is fast, but it brings along typical security gaps worth knowing about.

Missing input validation

AI-generated code doesn't automatically validate user input enough. Without explicit instructions, validation for form fields, API parameters, or file uploads is often missing - a classic attack surface.

Secrets in the code

AI models sometimes write placeholder keys or example credentials directly into the code instead of moving them into environment variables. If this isn't checked, API keys or passwords end up in the repository.

Hallucinated dependencies (slopsquatting)

AI models sometimes recommend package names that don't actually exist (hallucination). Attackers register exactly these made-up package names with malicious code - this risk is called "slopsquatting." If you install whatever the AI suggests without checking, you can pull in malware this way.

Checklist

  • Review requirement: have a human check every AI-generated change before it goes to production
  • Dependency check: verify suggested package names before installing (does the package actually exist, how reputable is it?)
  • Secrets scanner: automatically scan for accidentally committed keys and passwords
  • Least privilege: the code (and the agent writing it) only gets the permissions it actually needs

EXAMPLE

Conceptual example: before every merge, a secrets scanner and a dependency check run automatically, verifying new package names against the real registry.

QUICK QUIZ

What is 'slopsquatting'?

SOURCES

RELATED TOPICS

Vibe Coding: When It Works, When It Bites You โ—โ—‹โ—‹Guardrails for Autonomous Agents โ—โ—โ—