Every week I see the same bug in AI-generated code:
async def fetch_user_data(user_id: str):
data = db.query(f"SELECT * FROM users WHERE id = '{user_id}'")
return data
Two bugs in 3 lines. Can you spot them?
-
async defwith zeroawaitcalls — pointless async - f-string in SQL — classic injection
Standard linters pass this clean. Mypy passes this clean. The CI goes green.
Why AI keeps writing this
Language models predict likely tokens. async def get_ is almost always followed by a function body that looks async. The model has seen thousands of examples where async functions return data — so it generates one that looks right but isn't.
The FAKE_ASYNC pattern:
- Function declared
async - No
awaitanywhere in the body - No
asynciocalls
It's valid Python. It runs. It just brings zero benefit and hides actual blocking calls.
The other one: SQL injection via f-string
# AI writes this constantly
query = f"SELECT * FROM users WHERE id = '{user_id}'"
cursor.execute(query)
# Should be:
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
The model learned f-strings from millions of examples. It also learned SQL queries from millions of examples. When it combines them, it combines the patterns — not the security awareness.
How to catch both automatically
curl -X POST https://pleasing-transformation-production-90c2.up.railway.app/v1/scan \
-H "X-API-Key: vg_free_test" \
-F "file=@your_file.py"
Response:
{
"issues": [
{
"kind": "FAKE_ASYNC",
"severity": "WARN",
"line": 1,
"detail": "async def fetch_user_data has no await — remove async or add await"
},
{
"kind": "SQL_INJECTION_RISK",
"severity": "BLOCK",
"line": 2,
"detail": "f-string interpolation in SQL query — use parameterized query"
}
],
"passed": false
}
Or add it to GitHub CI:
- uses: Moonsehwan/aina-vibeguard-action@v1
with:
api-key: ${{ secrets.VIBEGUARD_KEY }}
Free key during beta: vg_free_test
What patterns are you seeing in your AI-generated code? Drop them below — if it's a real pattern we're not catching, we'll add it.
Top comments (0)