Quick Answer
AI coding tools like Cursor, Bolt, Lovable, Claude Code, and ChatGPT produce working code fast - but "working" is not the same as "safe to ship." Before going live, you need to check for leaked secrets, unprotected API routes, dependency vulnerabilities, missing input validation, performance problems, and AI-specific patterns like hallucinated imports. You can do this manually in 6-8 hours or use an automated code health platform like VibeDoctor to get a full diagnosis in under 5 minutes.
Why AI-Generated Code Needs a Second Opinion
Every AI coding tool - whether you use Cursor, ChatGPT, Claude Code, Bolt, or Lovable - has the same fundamental limitation: it writes code that compiles and runs, but it cannot test its own output against real-world security threats, live deployment conditions, or production performance requirements.
The AI does not run a vulnerability scan after generating an API route. It does not check whether the npm packages it imported actually exist. It does not verify that the database query it wrote is parameterized instead of interpolated. It does not test the live URL for SSL issues, broken links, or missing security headers.
This is not a flaw in any specific tool. It is a structural gap in how AI coding works. The AI generates. Something else needs to validate.
What to Check: The 7 Areas That Matter Most
Whether you are reviewing code written by ChatGPT, checking a Cursor project, or auditing a Bolt app before launch, these are the areas where AI-generated code fails most often.
1. Leaked Secrets and Hardcoded Credentials
AI tools routinely hardcode API keys, database passwords, and tokens directly in source files. They fill in placeholder values that developers forget to move to environment variables.
// What AI tools generate:
const stripe = new Stripe('sk_live_abc123def456...');
// What production code needs:
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);Automated secret detection tools like Gitleaks scan your entire codebase (including git history) for 150+ patterns of API keys, private keys, and credentials. VibeDoctor runs Gitleaks as part of every scan and flags every match as critical severity.
2. Unprotected API Routes
This is the single most common issue in AI-generated code. The AI creates Express, Fastify, or Next.js API routes that work immediately but almost never adds authentication middleware. Every endpoint is publicly accessible by default.
// AI-generated route - no auth check
app.get('/api/users/:id', async (req, res) => {
const user = await db.query('SELECT * FROM users WHERE id = $1', [req.params.id]);
res.json(user);
});
// What it should be
app.get('/api/users/:id', requireAuth, async (req, res) => {
const user = await db.query('SELECT * FROM users WHERE id = $1', [req.params.id]);
res.json(user);
});3. Dependency Vulnerabilities (CVEs)
AI tools install packages without checking whether those packages have known security vulnerabilities. A single outdated dependency can contain a critical CVE that gives attackers remote code execution.
Running npm audit catches some of these, but a tool like Trivy cross-references your entire dependency tree against the National Vulnerability Database. VibeDoctor runs Trivy automatically and reports every CVE with its severity level and available fix version.
4. Missing Input Validation
AI-generated form handlers and API routes trust user input without validation. No Zod schemas, no Joi validation, no sanitization. User-supplied data flows directly into database queries, file operations, and external API calls.
5. AI-Specific Code Patterns
AI-generated code has failure modes that traditional linters were never designed to catch:
- Hallucinated imports - the AI imports npm packages that do not exist. If an attacker registers that name, your build installs malicious code.
- N+1 database queries - database calls inside loops instead of batched queries, causing performance to degrade exponentially.
- Mixed async patterns - mixing
.then()chains withasync/awaitin the same file, creating inconsistent error handling. - God files - single files with 500+ lines handling routing, data access, UI, and business logic.
- Empty test bodies - test functions with names but no assertions.
6. Performance and Live Site Issues
Code that works locally can still fail in production. Checking your live URL reveals problems invisible in the codebase:
- Lighthouse performance score and Core Web Vitals (LCP, FCP, CLS, TBT)
- Page weight and request count
- Console errors and JavaScript runtime exceptions
- Mixed content warnings (HTTP resources on HTTPS pages)
- Broken links and redirect chains
7. Security Headers and SSL
Most AI-generated apps ship with zero security headers (no HSTS, no CSP, no X-Frame-Options) and sometimes have SSL certificate issues. These are quick to fix but easy to miss without a dedicated check.
How to Check: Manual vs Automated
Manual Review (6-8 Hours)
| Check | Tool | Time |
|---|---|---|
| Secret scanning | gitleaks detect --no-git |
10 min |
| Dependency CVEs | npm audit or trivy fs . |
10 min |
| Auth on API routes | Manual code review | 1-2 hours |
| Input validation | Manual code review | 1-2 hours |
| Performance | Lighthouse in Chrome DevTools | 15 min |
| Security headers | securityheaders.com | 5 min |
| SSL certificate | SSL Labs test | 5 min |
| AI-specific patterns | Manual inspection | 2-3 hours |
Manual review works, but it is slow, inconsistent, and misses patterns that are hard to spot visually - especially hallucinated imports and N+1 queries buried deep in the codebase.
Automated with VibeDoctor (Under 5 Minutes)
VibeDoctor runs 129+ automated checks across 15 diagnostic areas in a single scan. Point it at a GitHub repo, a live URL, or both. It checks everything listed above - secrets, CVEs, auth, validation, AI-specific patterns, performance, headers, SSL, SEO, accessibility - and produces a single diagnostic report with severity scores, file paths, line numbers, and fix guidance.
The free tier gives you 1 scan per day with the full 129+ check battery. No credit card required.
Tool-by-Tool: What to Watch For
Checking Cursor-Generated Code
Cursor writes confident, well-structured code that compiles cleanly. The danger is subtle: missing auth middleware, wildcard CORS origins (Access-Control-Allow-Origin: *), and eval() calls for dynamic behavior. Cursor also mixes .then() with async/await frequently.
Checking ChatGPT-Generated Code
ChatGPT is the most likely to generate SQL injection patterns (string interpolation in queries), dangerouslySetInnerHTML without sanitization, and hallucinated package names. It also fills in placeholder API keys that developers forget to replace.
Checking Bolt and Lovable Apps
Bolt and Lovable generate full-stack apps with databases and API layers. The most common issues: missing Supabase Row Level Security policies, unprotected API routes, client-side secret exposure via VITE_ prefixes, and no rate limiting on any endpoint.
Checking Claude Code Projects
Claude Code produces sophisticated, well-documented code. The patterns to watch: missing CSRF protection on state-changing routes, insecure cookie configuration (no httpOnly or secure flags), and N+1 database query patterns.
When to Check
The best time to check AI-generated code is before every deployment, not just before launch. Issues introduced in one coding session can compound across multiple deployments.
- Before going live for the first time - the most important check. Run a full scan of your codebase and live URL.
- After major feature additions - new endpoints, new database tables, and new integrations are where AI introduces the most vulnerabilities.
- On every push - VibeDoctor's paid plans include automatic scanning on every git push, so issues get caught before they reach production.
- Weekly, at minimum - dependency CVEs are published daily. A package that was safe last week might have a critical vulnerability today.
The Vibe Check Before You Ship
Here is the minimum checklist before any AI-built app goes to production:
| Check | Severity | What You Are Looking For |
|---|---|---|
| No hardcoded secrets | Critical | API keys, passwords, tokens in source files |
| Auth on every route | Critical | Middleware on all data-accessing endpoints |
| No known CVEs | Critical | Zero critical/high vulnerabilities in dependencies |
| Input validated | High | Zod/Joi schemas on API endpoints |
| No hallucinated imports | High | Every imported package exists on npm |
| SSL valid | High | Certificate active and not expiring soon |
| Security headers set | Medium | HSTS, CSP, X-Frame-Options configured |
| Performance acceptable | Medium | Lighthouse score above 50, no N+1 queries |
| Tests exist | Medium | At least auth and payment flows tested |
| No console errors | Low | Zero JavaScript runtime errors on live URL |
FAQ
Is there a free tool to check AI-generated code?
Yes. VibeDoctor offers a free tier with 1 scan per day and the full 129+ check diagnostic. Point it at a GitHub repo or live URL and get a complete report in under 5 minutes. No credit card required.
Can I just ask the AI to review its own code?
You can, but the AI cannot run security tools against your actual codebase, check your dependencies for CVEs, test your live URL for SSL issues, or detect hallucinated imports. It can only review the code you show it - and it tends to confirm its own patterns rather than catch its own mistakes. An external tool provides independent validation.
How do I know if my vibe-coded app is production ready?
Production readiness means zero critical findings in security, valid SSL, working authentication on all endpoints, validated input, no known CVEs in dependencies, and acceptable performance scores. VibeDoctor gives you a Vitals score from 0 to 100 that summarizes all of this in a single number.
Is AI-generated code less secure than human-written code?
Research shows AI-generated code has 2.74x more security vulnerabilities than human-written code on average. The issues are not random - they follow consistent patterns (missing auth, missing validation, hardcoded secrets) that are predictable and detectable with the right tools.
What should I do after the initial check?
Set up continuous monitoring. New vulnerabilities in your dependencies are published daily, and every code change can introduce new issues. VibeDoctor's paid plans include automatic scanning on every git push and weekly status reports so you catch problems before your users do.
Does it matter which AI tool I used?
The specific patterns vary by tool (Cursor has more CORS issues, ChatGPT has more SQL injection, Bolt has more missing auth), but every AI coding tool produces code that needs external validation. The checking process is the same regardless of which tool generated the code.