Code Smells to Watch for in AI-Generated Code

10 AI coding anti-patterns every software engineer should understand and know (I wrote this after generating and reviewing over 100k+ LOC over the past 1 year with different models) AI coding agents are fast, but they make the same categories of mistakes over and over. Here are 10 patterns I have seen repeatedly occur: [1] Duplication AI does not search your codebase before writing code. If your shared utility lives three directories away, it does not exist as far as the agent is concerned. You end up with four implementations of the same thing in the same week. [2] Abstraction Bypass Even when shared infrastructure exists, the agent reaches for the raw library instead. It will use httpx.AsyncClient directly when your project has a BaseHTTPClient wrapper sitting right there with logging, retries, and auth baked in. [3] Error Handling Gaps AI loves the happy path. Bare except clauses that swallow everything, missing finally blocks, catch-all handlers that log and move on when the correct behavior is to propagate. Error handling gaps show up nearly 2x more in AI code. [4] Type Safety Violations When the agent cannot figure out the correct type, it reaches for `any` and moves on. The code compiles, the linter passes, and three weeks later, you get a runtime error that nobody can trace. [5] Security Anti-Patterns SQL string interpolation instead of parameterized queries. Hardcoded secrets in source files. Missing input validation on API endpoints. 36-40% of AI-generated code contains at least one security vulnerability. [6] Dead Code and Over-Engineering AI generates defensively, unused imports, abstractions for things with one implementation, configuration systems for values that never change. It builds for hypothetical scenarios nobody asked for. [7] Debugging Residue AI agents work in a try-fail-retry loop and leave the old files behind. You end up with [auth.py](http://auth.py), auth_[v2.py](http://v2.py), auth_[new.py](http://new.py) in the same directory. The agent works forward and never cleans up. [8] Async Misuse Blocking calls inside async functions, missing awaits on coroutines, synchronous I/O in event loops. These bugs pass linting and type checking and only surface under load when it is too late. [9] Deprecated API Usage AI models are trained on historical code and do not distinguish current from deprecated. You will see datetime.utcnow() which was deprecated in Python 3.12, pkg_resources instead of importlib, and React class components instead of hooks. [10] Fake Test Coverage AI produces test suites that hit high coverage numbers and pass CI. But the tests validate the AI's own assumptions, not your intent. They mock so heavily they test nothing real and snapshot whatever the agent generated as "correct." The good news is that these mistakes are predictable, which means they are preventable. Linters, pre-commit hooks, and targeted code review catch most of them before they reach production.

"AI writes code faster. Your job is still to prove it works." My latest free write-up: https://lnkd.in/gkhzcfiR ✍ is all about code review. Over 30% of senior developers now ship mostly AI-generated code. The problem? AI excels at drafting features but stumbles on logic, security, and edge cases - with errors 75% more common in logic alone. The bottleneck has moved from writing code to proving it works. What's changing: Solo devs ship at "inference speed," treating AI like a powerful intern - but the smart ones have built verification systems (high test coverage, manual testing) that catch issues before production. Skip review and you don't eliminate work, you defer it. Teams face a different challenge: AI floods volume. PRs are ~18% larger, incidents per PR up ~24%, change failure rates up ~30%. When output increases faster than verification capacity, review becomes the rate limiter. Security remains non-negotiable for human oversight. ~45% of AI-generated code contains security flaws. Logic errors at 1.75× the rate of human code. XSS vulnerabilities at 2.74×. The emerging best practice? A simple PR contract: → What/why in 1-2 sentences → Proof it works (tests, screenshots, logs) → Risk tier + which parts were AI-generated → Where you need human input If you can't fill this out, you don't understand your own change well enough to ask someone to approve it. Proof over vibes. The human is ultimately responsible for what the AI delivers. #ai #programming #softwareengineering

Several comprehensive studies including O’Reilly’s Playbook for Large Language Model Security, the 2025 State of Software Delivery report, and GitClear’s 2025 AI Copilot Code Quality report conclude that companies have started using AI for #coding too soon. A general conclusion: “LLMs are not #software engineers; they are like interns with goldfish memory. They’re great for quick tasks but terrible at keeping track of the big picture.” “As reliance on #AI increases, that big picture is being sidelined. Ironically, by certain accounts, the total developer workload is increasing—the majority of developers spend more time debugging AI-generated code and resolving security vulnerabilities.” “AI output is usually pretty good, but it’s still not quite reliable enough,” says another. “It needs to be a lot more accurate and consistent. Developers still always need to review, debug, and adjust it.” One problem: “AI tools tend to duplicate code, missing opportunities for code reuse and increasing the volume of code that must be maintained.” GitClear’s report “analyzed 211 million lines of code changes and found that in 2024, the frequency of duplicated code blocks increased eightfold.” “In addition to piling on unnecessary technical debt, cloned code blocks are linked to more defects—anywhere from 15% to 50% more.” While larger context windows will help, “they’re still insufficient to grasp full software architectures or suggest proper refactoring.” One CEO says: “AI tools often waste more time than they save for areas like generating entire programs or where broader context is required. The quality of the code generated drops significantly when they’re asked to write longer-form routines.” “Hallucinations still remain a concern. AI doesn’t just make mistakes—it makes them confidently. It will invent open-source packages that don’t exist, introduce subtle security vulnerabilities, and do it all with a straight face.” “Security vulnerabilities are another issue. AI-generated code may contain exploitable flaws.” Furthermore, AI agents often “fail to find root cause, resulting in partial or flawed solutions:” “Agents pinpoint the source of an issue remarkably quickly, using keyword searches across the whole repository to quickly locate the relevant file and functions—often far faster than a human would. However, they often exhibit a limited understanding of how the issue spans multiple components or files, and fail to address the root cause, leading to solutions that are incorrect or insufficiently comprehensive.” Solutions include better training data, more testing to validate AI outputs, progressive rollouts, and greater use of finely tuned models. The bottom line for some: “AI-generated code isn’t great—yet. But if you’re ignoring it, you’re already behind. The next 12 months are going to be a wild ride.” #technology #innovation #artificialintelligence #hype

👋🏼 Hope everyone's having a great week! Last week while coding an authentication protocol, I almost merged AI-generated code that looked perfect… but had a hidden injection risk. ⚡️ I am lucky to always remember: AI doesn't just generate code faster than us—it can generate vulnerabilities faster too. If you're using Copilot, Cursor, or Windsurf, your prompts aren't just about productivity—they're your first line of defense. Here are 3 ways I now prompt AI to write secure code by default 👇🏼 1️⃣ Anchor prompts to secure coding frameworks Instead of "refactor this" ⛔, use: "Refactor this API following OWASP top 10: validate inputs, enforce authZ, prevent XSS/SQLi, handle errors securely." ✅ -> This embeds industry security standards right into the output. 2️⃣ Prompt AI to generate tests & threat models Don't just ask for code ⛔—ask for protection: "Write unit tests to block XSS + SQL injection. ✅ "Map threats for this function using STRIDE". ✅ -> This turns AI into a security reviewer, not just a coder. 3️⃣ Chain prompts with the attacker's mindset After generating code, re-prompt: "Review this code as an attacker. How could you exploit it?" ✅ -> It's like having a mini red team running inside your IDE. 💡Bonus: Always run AI-generated code through SAST tools (Semgrep, CodeQL, Bandit) before merging. Prompting guides the AI, but scanning verifies. 🔐 In cybersecurity we know: assumptions are exploits waiting to happen. Don't assume the AI “codes securely”—teach it through your prompts. 👉🏼 Curious—if you've tried AI for coding, what's the most surprising vulnerability you've seen it create? #AIforDevelopers #SecureCoding #PromptEngineering #DevSecOps #Copilot #Cursor #Cybersecurity

If your SOC 2 /ISO report has vibe coding platforms, it’s a red flag unless…. You have suitable controls designed and operational. Today’ Claude coders don’t start with code anymore. They start with intent. Describe what you want in plain English → an LLM writes the code. Sounds like magic. But here’s the catch. If you don’t understand what was generated, you’re not coding…you’re approving risks. As auditors we are already seeing vibe coding platforms on clients’ tech stack. And we are seeing vulnerabilities related to these insecure coding practices- • Insecure defaults baked into generated code • Missing auth, logging, and validation layers Vibe coding doesn’t remove engineering responsibility. It amplifies it. The real shift isn’t faster coding, it’s faster mistakes at scale if governance doesn’t catch up. Secure coding controls we are looking for requires you to : Review AI-generated code like an auditor Embed guardrails into prompts + pipelines Treat LLMs as junior devs, not senior architects AI didn’t change who’s accountable. The developer is still the control owner. Weak prompt example? “Build a login API in Node.js” Secure prompt example? “Build a production-ready login API in Node.js (Express) that follows secure coding best practices: • Use bcrypt for password hashing (no plain text or weak algorithms) • Implement rate limiting and account lockout after 5 failed attempts • Enforce input validation and output encoding (OWASP standards) • Return generic error messages (no user enumeration) • Use JWT with short expiration and secure signing (HS256/RS256) • Store secrets in environment variables (no hardcoding) • Include structured logging without sensitive data • Add middleware for authentication and authorization • Follow least privilege for any DB access • Include comments explaining security decisions • Provide sample unit tests for auth edge cases” Above enforces the following secure prompting strategies: 1. Constraining the model → Reduces insecure defaults 2. Embedding controls directly in generation → Security becomes part of the code, not an afterthought 3. Forcing explainability → Makes it auditable When did you last train your dev teams on secure vibe coding ? Learn more from Cloud Security Alliance at https://bit.ly/3YrOBgp #VibeCoding #DevSecOps #soc2 #ai #grc #compliance #iia #tprm #yc #saas #iso

If you’re using AI to write your code, here’s something you should know. If you are: • using AI to generate production code • using AI to generate the tests • using AI to validate its own output • and then shipping it Then you are MORE likely than a human to ship bugs and vulnerabilities. Specifically, you are more likely than a human to: • Introduce security vulnerabilities (~20-25% higher likelihood) • Ship critical or major bugs (≈1.5–1.7× more per PR) • Miss edge cases and failure paths in tests • Over-test happy paths and under-test bad inputs • Have “clean” builds that hide production risks AI-written tests are less likely to test edge cases and over-use mocks. LGTM! 😅 This doesn’t mean “don’t use AI.” It means 100% AI-generated systems should make you pause and consider the risks. Output scales fast. Judgment and maintenance won't.

LLMs have become extremely good at generating syntactically valid Python, but security quality has barely improved. Veracode's Spring 2026 GenAI Code Security Report found that security pass rates have remained stuck near 55% since 2024. That gap exists because models learn from public code full of insecure patterns and reproduce them when prompted. At the same time, reviewers usually verify whether code works, not whether it introduces vulnerabilities. Bandit is a static analyzer for Python that identifies insecure patterns by matching code against 60+ Common Weakness Enumeration (CWE) rules. This article walks through 8 common anti-patterns in AI-generated Python and how to fix them with Bandit. 🚀 Article: https://bit.ly/4wkxcWr #Python #Security #AI #DevOps

How to DEBUG AI-generated CODE ? AI writes code in seconds. Debugging it takes hours. Most AI-generated code breaks in the exact same 2 places. Every single time. ① Start of the function → no input validation ② End of the function → no error handling Fix those first. 90% of the time, everything stabilizes. The rest of my debugging process: → Verify before you run AI invents function names that sound real. Check the docs before executing anything. → Isolate the code Never debug AI code in your main project. Paste it in a blank file with fake data. If it breaks there, the logic is wrong. → Don't ask "why is this broken?" Tell it: "This has a flaw. Find 3 edge cases where it fails." AI finds bugs 10x better than it writes perfect code. → Force it to think before it codes Prompt: "Explain your logic step by step, list edge cases, then write the code." If the explanation is wrong, the code will be wrong. Catch it early. → Use two AI models Write with one. Review with another. Different models catch different blind spots. The real problem isn't that AI writes bad code. It's that AI writes confident bad code. Debug the confidence, not just the syntax. ♻️ Repost if this saves someone an hour today. #AI #Coding #SoftwareDevelopment #Debugging #Productivity