I code-reviewed 3 "vibe-coded" PRs last week. Every one had hardcoded API keys. So I built a grader.

wd400 — Sat, 11 Apr 2026 03:19:17 +0000

"Vibe coding" is everywhere. You prompt an AI, it writes your whole project, you ship it.

Last week I reviewed 3 PRs from vibe-coded projects. All three had hardcoded API keys in the source. Two had no tests. One had a raw eval() on user input.

So I built vibescore.

What it does

pip install vibescore
vibescore .

One command. Letter grade from A+ to F. Four dimensions:

Category	What it checks
Security	Hardcoded secrets, SQL injection, eval/exec, insecure defaults
Code Quality	Function length, complexity, nesting depth, type hint coverage
Dependencies	Pinning, lock files, deprecated packages, known CVEs
Testing	Test count vs LOC ratio, coverage setup, CI configuration

Example output

vibescore v0.4.0 — Project Report
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  Security     B+  (no hardcoded secrets, 2 eval() calls found)
  Code Quality C   (4 functions >50 lines, low type hint coverage)
  Dependencies A-  (all pinned, lock file present)
  Testing      D   (3 tests for 2,400 LOC)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  OVERALL      C+

Supported languages

Python (AST-based analysis)
JavaScript/TypeScript (regex-based)
Rust (VC221-VC227: unwrap density, unsafe blocks, doc comments, clone detection)
Go (VC231-VC237: unchecked errors, goroutine leaks, naked returns, panic in library code)

Extra features

vibescore --init-ci — generates a GitHub Actions workflow
vibescore --watch — re-scans on file changes in real-time
vibescore --dashboard — historical grade tracking (Streamlit web UI)
vibescore --save-history — save scan results for trend analysis
Zero dependencies. 201 tests.

Comparison

SonarQube: requires a Java server, complex setup, enterprise pricing
Codacy/CodeClimate: SaaS, requires account, sends code to servers
pylint/ruff: lint rules only, no security/testing/dependency analysis, no single grade
vibescore: one pip install, one command, local-only, zero deps, covers 4 dimensions with a letter grade

GitHub: github.com/stef41/vibescore
PyPI: pypi.org/project/vibescore

Feedback welcome — especially ideas for new check categories or language support.

I got mass-flagged by GPTZero for my own writing. So I built an open-source alternative in pure Python.

wd400 — Sat, 11 Apr 2026 03:18:51 +0000

Every AI text detector is either paid or closed-source.

GPTZero charges $15/month. Originality.ai charges per scan. Turnitin locks you into institutional contracts. And all of them are black boxes — when they flag your text as AI-generated, you have no idea why.

I got tired of this. Especially after GPTZero flagged my own human-written paragraphs as "98% AI."

So I built lmscan.

What it does

pip install lmscan
lmscan "paste any text here"
→ 82% AI probability, likely GPT-4

It analyzes 12 statistical features — burstiness, entropy, Zipf deviation, vocabulary richness, slop-word density — and fingerprints 9 LLM families.

No neural network. No API key. No internet. Runs in <50ms.

The detection approach

AI text is unnaturally smooth. Humans write in bursts — short punchy sentences followed by long rambling ones. LLMs produce eerily consistent sentence lengths.

LLMs also have vocabulary tells:

GPT-4 loves "delve" and "tapestry"
Claude says "I think it's worth noting"
Llama overuses "comprehensive" and "crucial"

lmscan scores text against each family's marker set to fingerprint the source.

Python API

from lmscan import scan
result = scan("your text")
print(f"{result.ai_probability:.0%} AI, likely {result.fingerprint.model}")

Features

12 statistical features (burstiness, entropy, Zipf deviation, hapax legomena, vocabulary richness, slop-word density, and more)
9 LLM fingerprints (GPT-4, Claude, Gemini, Llama, Mistral, Qwen, DeepSeek, Cohere, Phi)
Multilingual support (English, French, Spanish, German, Portuguese + CJK auto-detection)
Batch directory scanning with --dir
Mixed-content paragraph analysis with --mixed
HTML reports with --format html
Streamlit web UI with pip install lmscan[web]
Pre-commit hook integration
Calibration API for tuning thresholds on your own data

Honest limitations

This is statistical analysis, not a transformer classifier. It won't catch heavily paraphrased AI text. But:

You can see exactly which features triggered
No black-box false positives
Calibration API lets you tune for your domain
193 tests, Apache-2.0

GitHub: github.com/stef41/lmscan
PyPI: pypi.org/project/lmscan

Feedback welcome — especially on which types of text it struggles with. That helps calibrate the feature weights.

DEV Community: wd400

I code-reviewed 3 "vibe-coded" PRs last week. Every one had hardcoded API keys. So I built a grader.

What it does

Example output

Supported languages

Extra features

Comparison

I got mass-flagged by GPTZero for my own writing. So I built an open-source alternative in pure Python.

What it does

The detection approach

Python API

Features

Honest limitations