Vibe coding has changed the game. Tools like Lovable, Claude Code, Cursor, Bolt, and Replit let anyone describe an app in plain English and have working code generated in minutes. It's genuinely impressive — and for prototyping, it's revolutionary.
But here's the problem: the code AI generates is optimised for "looks right on screen," not "works right in production."
After reviewing dozens of vibe coded applications for Australian businesses, we see the same five problems over and over again. If you've built something with an AI coding tool and you're thinking about launching it, read this first.
1. Security is an afterthought (if it's a thought at all)
This is the big one. AI coding tools consistently generate applications with serious security vulnerabilities:
- Hardcoded API keys in client-side code — visible to anyone who opens browser DevTools
- No input validation — user-submitted data goes straight to the database without sanitisation
- Missing authentication checks — API routes that should be protected are left wide open
- No rate limiting — your sign-up form can be hit 10,000 times per minute
- Default CORS settings — allowing any website in the world to call your API
The AI doesn't think about security because it's not trying to protect your app — it's trying to make it work. Those are very different goals.
What to do: Before you launch anything, you need a security audit. Check for exposed secrets, add input validation to every form and API route, enforce authentication on protected routes, and configure CORS properly. If you're not sure how to do this, get a professional code review.
2. Error handling doesn't exist
Ask an AI to build a form that submits data to an API. It will build the happy path perfectly — the form submits, the data saves, the user sees a success message. Beautiful.
Now try submitting the form when:
- The API is down
- The user's internet drops mid-submission
- The database rejects the data because of a constraint violation
- The user double-clicks the submit button
- The session token has expired
In most vibe coded apps, none of these scenarios are handled. The app just breaks silently. The user sees a white screen, or nothing happens, or they get a cryptic error message that means nothing to them.
This isn't a minor issue. In production, with real users, things go wrong constantly. Your app needs to handle every failure gracefully — with clear error messages, retry logic, and fallback states. AI tools almost never generate any of this.
What to do: Go through every user interaction in your app and ask: "What happens if this fails?" If the answer is "I don't know" or "it crashes," you have work to do.
3. The code is unmaintainable
AI generates code that works, but it generates it without any concept of architecture. Common patterns we see:
- 500-line components that do five different things
- The same logic duplicated across 10 different files with slight variations
- No separation of concerns — business logic, API calls, and UI rendering all tangled together in the same function
- Inconsistent naming —
userData,user_info,userProfile, andcurrentUserall referring to the same thing - No TypeScript types — or types that are
anyeverywhere, defeating the purpose entirely
This matters because at some point you'll need to change something. Add a feature. Fix a bug. And when you try, you'll find that changing one thing breaks three other things because everything is interconnected in ways the AI didn't plan for.
What to do: Refactoring is not optional — it's an investment. Clean code is cheaper to maintain, easier to debug, and faster to extend. If you can't confidently explain how your codebase is structured, it needs professional cleanup. We do this every day.
4. Performance collapses under real load
AI-generated code works fine when you're the only user. It starts to show cracks at 10 concurrent users. It falls over at 100.
The most common performance problems in vibe coded apps:
| Problem | What it looks like | Why AI does it |
|---|---|---|
| N+1 database queries | Page loads take 5+ seconds | AI writes a query per item instead of batching |
| No caching | Every page load hits the database | AI doesn't think about repeated requests |
| Huge JavaScript bundles | Slow initial page load, especially on mobile | AI imports entire libraries for one function |
| Unoptimised images | 5MB hero images on every page | AI doesn't compress or resize assets |
| Client-side data fetching | Content flashes in after page loads | AI defaults to useEffect instead of server-side |
| Missing pagination | Loads 10,000 records at once | AI doesn't anticipate data volume |
The fundamental issue is that AI doesn't think about scale. It solves for "make this work right now" — not "make this work when 500 people use it simultaneously."
What to do: Run a performance audit. Check your database queries for N+1 patterns. Implement caching where it makes sense. Optimise your bundle size. Use server-side rendering for data-heavy pages. And test with realistic data volumes — not 3 test records.
5. Deployment and infrastructure are fragile
Your vibe coded app works perfectly in the development environment. You deploy it to production and... it breaks.
We see this constantly:
- Environment variables that exist in
.env.localbut aren't configured in the hosting platform - Database connections that work locally with SQLite but fail with the production PostgreSQL instance
- File uploads that save to the local filesystem (which gets wiped on every deployment)
- No CI/CD pipeline — deployments are manual, unrepeatable, and nerve-wracking
- No monitoring — when something breaks in production, you find out from your users, not your alerts
AI tools often generate code that's tightly coupled to the development environment. Moving it to production requires understanding infrastructure, networking, and deployment pipelines — things AI doesn't reason about well.
What to do: Set up a proper deployment pipeline. Configure your environment variables in your hosting platform. Use a managed database service. Add error tracking (Sentry is free for small projects). Set up uptime monitoring. And deploy to a staging environment first — never straight to production.
The bottom line
Vibe coding is incredible for getting from zero to prototype. The mistake people make is thinking the prototype is the product.
It's not. The prototype is the starting point.
The gap between "works on my screen" and "ready for real users" is where most of these AI tools leave you stranded. Closing that gap requires the kind of systematic thinking — about security, error handling, architecture, performance, and infrastructure — that AI doesn't do.
If you've built something with Lovable, Claude Code, Cursor, Bolt, or any other AI tool and you're getting ready to launch, spend the time (or the money) to get it reviewed properly. It's dramatically cheaper to fix these problems now than after your users find them.
About A Dark Cloud Creative
We're an Australian technology studio based in Perth. We specialise in fixing and cleaning up vibe coded applications — code reviews, bug fixes, security hardening, refactoring, and production deployment. We also handle web development, Microsoft 365, cyber security, and business analysis.
Related reading: