Vibe apps: volume up, quality low
Vibe platforms have seen tens of thousands of app submissions and a mobile‑first wave of instant apps, but PreShip’s scan of 500+ vibe apps found an average quality score of just 43/100 — missing security, metadata and error handling. (x.com) High‑velocity examples include Pulse (built in 4 hours) and Doufu (local web apps), which prove speed but also highlight why many apps need stricter pre‑ship checks. (x.com) (x.com)
A large empirical scan that surfaced the vibe‑app problem found 15,823 candidate URLs and curated 603 confirmed AI‑built production apps, and reported systemic gaps — for example 98.5% of apps lacked a Content‑Security‑Policy and 100% lacked a Permissions‑Policy. (securestackscan.com) Two commercial scanners published high vulnerability rates for AI‑generated apps: PathToShip’s public tooling cites a 45% vulnerability rate for AI‑generated code, while VibeAppScanner advertises that 89.5% of AI‑built apps ship with security issues in their marketing materials. (pathtoship.com) (vibeappscanner.com) (pathtoship.com) Community demos and writeups show how fast these apps appear in the wild: public demo pages such as pulse‑stream‑vibe.base44.app and hands‑on Lovable case studies document prototypes and small apps launched in hours or over a single weekend. (youtube.com) (pathup.ai) (youtube.com) Projects named “Doufu” and “Pulse” appear across public repos and app listings — Doufu shows up in GitHub repositories and app‑store listings while Pulse appears as both a community editor integration and as an audit‑skill in open source repos used to probe vibe apps. (github.com) (play.google.com) (github.com 1) (github.com 2) Major vendors are rolling vibe experiences into official products while flagging the need for controls: Microsoft published a Power Apps “vibe” preview and an FAQ that stresses telemetry, pre‑release evaluation and testing before enterprise deployment. (learn.microsoft.com 1) (learn.microsoft.com 2) (learn.microsoft.com 3) A small but growing ecosystem of pre‑ship tools and checklists has emerged — VibeCheck, PathToShip, VibeAppScanner and several open‑source preship projects offer automated scans for exposed keys, missing RLS, source maps in production and absent security headers; community guidance specifically recommends adding CSP headers, enforcing RLS/policy checks, and removing source maps from builds. (vibecheck.expert) (pathtoship.com) (vibeappscanner.com) (getautonoma.com) (vibecheck.expert)
