The Price of Vibecoding

When looking at the current world of Commercial Media only a few platforms feel as exhausting as Microsoft's LinkedIn. It has become a optimized ecosystem of algorithmic manipulation, content generated by Large Language Models or short LLM (what people also call "AI-slop") and corporate tracking.

For anyone advocating and promoting the Open Social Web does the alternative likely seem obvious: We need a decentralised, private alternative to LinkedIn that is build on open protocols like ActivityPub. A place where professionals, freelancers and companies can connect without an central middleman collecting and selling their data.

An earlier idea for an post on this blog was a new part of the series "A Beginner's Guide to Decentralized Social Media" about Bizzfed. But as I looked into the platform I did find a massive security breach which was a direct result of how Bizzfed was and is build. Let's unravel why the platform became a textbook example of the hidden dangers of Vibecoding – the practice of letting LLM agents code a whole software and deploy it into production.

The development of Bizzfed is unique. The Codeberg repository features an explicit "AI-Notice", where the developer René Hamdorf transparently laid out that large portions of Bizzfed's codebase was generated by Anthropic's Claude LLM. Those commits are tagged with an Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> trailer.

In earlier project announcements did Hamdorf defend this modern workflow:

KI-gestützte Entwicklung: Ja, Claude von Anthropic war mein Entwicklungsassistent — wie andere Entwickler heute Copilot oder Cursor nutzen. Den Code schreibe, reviewe und verantworte ich. Das Projekt ist Open Source (AGPL-3.0), jeder kann reinschauen: codeberg.org/rhamdorf/BizzFed

The source is in German, the text is in English: "AI-assisted development: Yes, Claude from Anthropic was my development assistant – like other developers use Copilot or Cursor today. I write, review and take responsibility for the code. The project is Open Source (AGPL-3.0), everybody can take a look at it: codeberg.org/rhamdorf/BizzFed"

On paper does it sound like a sort of win for Open Source but in the world of cyber security and decentralised infrastructure can't you just "vibe" your way through code reviews.

The scepticism of the community grew as users looked under the hood. A user shared that Claude didn't just generate a large part of the codebase it was also responsible for the deployment and configuration.

From own experience can I say: When you stop intimately understand your own deployment pipeline because you let an LLM drive your terminal, disaster is usually only a coin flip away. And Hamdorf lost that coin flip.

Within days of releasing the early access was the official account of Bizzfed compromised because the LLM published the password publically in the repository while Bizzfed's Two-Factor Authentication (2FA) process failed to function. Said account released posts like "SLOP SLOP SLOP SLOP SLOP SLOP SLOP" and "Sad to see another good idea be ruined by vibecoding..."

In decentralised networks is security a collective responsibility. If a instance is poorly managed and secured or leaks staff credentials does it become a attack vector for spam, malicious data injection or security exploits across the entire network. Therefor was the reaction of some admins of Fediverse instances swift and uncompromising as they started to defederate the main instance of Bizzfed.

This was an natural immune response of the Fediverse. Handing the keys to an LLM agent contradicts the very culture of the decentralised web and the very core of what makes self-hosting safe.

Painful is the irony of the Bizzfed situation. We need a alternative to LinkedIn and co without commercial AI-slop and the toxic "hustle culture" but an attempt of that was compromised by the own reliance of vibecoding.

Let me be clear: LLMs and AI technology can be a good tool if used correctly but an over reliance of it leads to situations like these. You can't delegate responsibility to an LLM in the sovereign and decentralised web as true sovereignty requires human vigilance.

What do you think? Was it a proof that the Fediverse is too delicate for vibecoding or was it a case of poor human oversight? Let me know your thoughts? 🤖

If you want to hear more from me you can find me in the Fediverse at @gelbphoenix@social.gelbphoenix.de (Mastodon) or @gelbphoenix@gram.social (Pixelfed). For more posts like this subscribe to my newsletter or support me by becoming a member or donating.

Liked this post? Please share it with others via: Mastodon, Bluesky or anywhere else by copying the link.