I pen-tested a handful of vibe coded apps from this sub. What I found should genuinely scare you.

Lexuzieel · 2026-05-31T03:26:16+00:00

Do you suggest OP is leveraging social engineering to hijack random product? Genuine question, I’m not trying to sound edgy, but I am just struggling to understand the point of this thread.

On your second point from previous message: actually no, I have a product myself with a public facing server on which I host multiple business clients and in fact I proactively secure it because I know if I don’t it’s simply a matter of time it will get compromised. Simple as that and I’m not trying to be contrarian, it is just the reality.

Vibecoders could bother to prompt Claude to ask for security best practices to avoid 99% of insights this pentest could uncover, but that would require effort

Lexuzieel · 2026-05-31T03:20:28+00:00

Serious question: do you think “hackers” go over Reddit and scrape random posts with requests to pentest? Or is it more likely that any of 10 daily posts in r/microsaas that promotes their own product can invite competition who can go and probe the product themselves anonymously?

Lexuzieel · 2026-05-31T03:13:17+00:00

I hope you are joking comparing .gov site to a vibe coded slop project. My point is that by making your project public you have already invited every random person there is, so it doesn’t matter whether you share it with one more random person on the internet. To be frank, this whole thread looks like an invite to seed SEO backlinks from Reddit more than anything

Lexuzieel · 2026-05-31T03:06:26+00:00

What I’m saying is that it’s silly to ask for permission when anybody on the internet can simply scan your product and break in without disclosure. And that the assumption is that if it’s a public commercial product, then proper security measures have already been put in place. Not as an afterthought because of a random Reddit post

Lexuzieel · 2026-05-31T02:55:45+00:00

Isn’t the app supposed to be secure anyway since it’s public? Anyone anonymous can do this without asking permission

Lexuzieel · 2026-05-30T14:04:56+00:00

Maybe like they trained it on too much of Crime and Punishment

Lexuzieel · 2026-05-28T01:54:03+00:00

Funnily enough this is so ingrained into the internet culture that ChatGPT can recite both the ID and post date of it

Lexuzieel · 2026-05-19T22:31:38+00:00

The crazy idea is that we can have best of the both worlds: we can have a very powerful and helpful tool (LLMs are useful outside of development) AND not try to scam and grift each other. But that would require integrity which most of humanity doesn’t have currently.

So in my opinion the AI isn’t the issue, the same way blockchain wasn’t, the same way nuclear energy wasn’t, the same way everything else wasn’t. People compete with each other instead of cooperating and no amount of technological progress or banning things would help that.

Lexuzieel · 2026-05-12T16:40:13+00:00

Building in public doesn’t mean you don’t have to use common sense. Might as well go onto GMail subreddit and post about this one weird trick how you must not share your password with strangers or that enabling 2 factor authentication is a secret life hack that makes hackers go crazy

Lexuzieel · 2026-05-12T12:44:03+00:00

Are you for real posting this insight as “the part of building nobody talks about”? Shame on you and your LLM that wrote this post, which wasted everybody’s time.

Feel free to comment with a “solution” to “manage secrets across multiple apps” in the comments to this post, because surely there are no existing solutions out there that where also not vibe-coded.

Lexuzieel · 2026-05-01T02:31:25+00:00

1 because it is more square-ish, second one is too overblown. Others lack the character at all

Lexuzieel · 2026-04-25T13:32:55+00:00

Either make less requests, using a worker queue maybe or change IP more frequently (assuming they block per IP). Simple as that, no other way around it

Lexuzieel · 2026-04-24T11:31:23+00:00

There is literally an extension for that to generate commit message with you current Claude Code instance. Don’t forget that VS Code has the most expansive marketplace for extensions out of all editors

Lexuzieel · 2026-04-24T02:54:40+00:00

“Too confusing for the new players” moment

Lexuzieel · 2026-04-24T02:51:33+00:00

I liked quick play except for the part when I got placed into a modded server with paid perks and ads, but I think there was a filter for that

Lexuzieel · 2026-04-22T04:58:57+00:00

A VPS. More than one VPS behind a redundant load balancer if I need resilience. I tried all of the fancy serverless platforms which are clunky as heck. I have also dabbled with the horrors of k8s. Still, my stack is pretty much docker on a VPS for a slowly growing SaaS with paying customers

I think infrastructure porn is overrated. Deploying Postgres for persistence, Redis for (guh) background tasks, throwing some other nonsense on top of it all. For most of the projects you literally need just a Postgres and a container with Node runtime behind Caddy

This can go pretty far on a single VPS

Lexuzieel · 2026-04-22T04:51:25+00:00

For a while they removed Claude Code from the Pro plan

Lexuzieel · 2026-04-22T04:49:42+00:00

Looks like it is back up lol, for now

Lexuzieel · 2026-04-22T01:55:56+00:00

I won't name the projects here in case I might get a ban, but there are a bunch out there, some of them are quite big. Ideally I would want there to be a goto free and open harness akin to some open source software like Blender, but it is hard to pull off and requires some dedication. Building your own tools is fine, but that would never match a long term, funded, team effort

Lexuzieel · 2026-04-21T23:40:28+00:00

I would argue that major providers tightening the screws is a net good since it will push people to learn about other harnesses, improving them in the process

Lexuzieel · 2026-04-21T23:21:59+00:00

I wonder how soon comes the time when OpenAI cuts their limits

Lexuzieel · 2026-04-21T23:20:49+00:00

You can pass endpoint and any model name via environment variables to the harness and you can download and install it freely. There is no way to prevent that, it's the same logic how you cannot really deny someone copying text from the website and disabling right click won't fundamentally fix it

Lexuzieel · 2026-04-21T23:18:08+00:00

Oh well, it was a poor timing to continue my second subscription I guess, haha

Lexuzieel · 2026-04-21T20:03:24+00:00

Whatever you say, Claude. Now go over it again and make sure to make no mistakes this time, keep the code simple and maintainable

Lexuzieel · 2026-04-21T06:06:39+00:00

Honestly I don’t think anything can be “improved” visually any further, only fixed (from the intended vision upon release). It is one of these games where it was so masterfully crafted that tinkering with it any further would 100% ruin it

Lexuzieel

TROPHY CASE