Why `async def` without `await` is the #1 vibe-coding bug (and how to catch it)

#ai #security #python #webdev

🎯 Try it live → AINAScan — paste your code, get a Vibe Score (0–100) with grade S🦄 to F-💣. Free, no signup.

Every week I see the same bug in AI-generated code:

async def fetch_user_data(user_id: str):
    data = db.query(f"SELECT * FROM users WHERE id = '{user_id}'")
    return data

Two bugs in 3 lines. Can you spot them?

async def with zero await calls — pointless async
f-string in SQL — classic injection

Standard linters pass this clean. Mypy passes this clean. The CI goes green.

Why AI keeps writing this

Language models predict likely tokens. async def get_ is almost always followed by a function body that looks async. The model has seen thousands of examples where async functions return data — so it generates one that looks right but isn't.

The FAKE_ASYNC pattern:

Function declared async
No await anywhere in the body
No asyncio calls

It's valid Python. It runs. It just brings zero benefit and hides actual blocking calls.

The other one: SQL injection via f-string

# AI writes this constantly
query = f"SELECT * FROM users WHERE id = '{user_id}'"
cursor.execute(query)

# Should be:
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))

The model learned f-strings from millions of examples. It also learned SQL queries from millions of examples. When it combines them, it combines the patterns — not the security awareness.

How to catch both automatically

curl -X POST https://pleasing-transformation-production-90c2.up.railway.app/v1/scan \
  -H "X-API-Key: vg_free_test" \
  -F "file=@your_file.py"

Response:

{
  "issues": [
    {
      "kind": "FAKE_ASYNC",
      "severity": "WARN",
      "line": 1,
      "detail": "async def fetch_user_data has no await — remove async or add await"
    },
    {
      "kind": "SQL_INJECTION_RISK",
      "severity": "BLOCK",
      "line": 2,
      "detail": "f-string interpolation in SQL query — use parameterized query"
    }
  ],
  "passed": false
}

Or add it to GitHub CI:

- uses: Moonsehwan/aina-vibeguard-action@v1
  with:
    api-key: ${{ secrets.VIBEGUARD_KEY }}

Free key during beta: vg_free_test

What patterns are you seeing in your AI-generated code? Drop them below — if it's a real pattern we're not catching, we'll add it.

What's Your Vibe Score?

👉 AINAScan — Try it free

Paste any file. Get a score 0–100, a grade (S🦄 → F-💣), and a per-vulnerability roast.
Supports Python, JS, TS, Go, Ruby, Java, Kotlin, PHP, C/C++ · No signup · Instant results