Hacker News new | ask | show | jobs
Show HN: Vibecheck – lint for AI-generated code smells (JS/TS/Python) (github.com)
7 points by yuvrajangads 102 days ago
I built a CLI that detects patterns AI coding tools leave behind: empty catch blocks, hardcoded secrets, as any everywhere, comments that restate the code, god functions, SQL concatenation.

24 rules across JS/TS and Python. Zero config, runs offline, regex-based so it's fast.

  npx @yuvrajangadsingh/vibecheck .
Also ships as a GitHub Action for inline PR annotations and standalone binaries (no Node required).

Why: CodeRabbit found AI-generated PRs have 1.7x more issues than human PRs. Veracode says 45% of AI code samples have security vulnerabilities. "Vibe coding" is everywhere now but nobody's linting for the patterns it produces.

This isn't a replacement for ESLint. It catches things ESLint doesn't look for, like catch blocks that only console.error without rethrowing, bare except: pass in Python, or mutable default arguments.
2 comments
jtbetz22 102 days ago
Yeah, this is a common problem, I have been thinking about it a fair bit.

I ran into a related problem at scale though: deterministic linters catch syntax and obvious anti-patterns, but they miss the harder stuff. Logic bugs that pass all the rules. Spec drift. Security issues hiding in otherwise "clean" code.

So I built Caliper to layer AI review on top of deterministic checks. It reads your coding conventions (CLAUDE.md, .cursor/rules, whatever you use) and compiles them into checks that run after each AI turn—free and instant. Then optionally an AI layer evaluates changes against your project's actual policy. Catches what linters structurally can't.

Very different approach from Vibecheck but complementary. Actively looking for alpha testers if you want to try it — https://getcaliper.dev

link
yuvrajangads 99 days ago
yeah that makes sense. regex catches the surface-level stuff fast, but logic bugs and spec drift need something smarter. the AI layer on top of deterministic checks is a good approach.

vibecheck is intentionally the dumb fast pass, sounds like caliper handles the deeper analysis. will check it out.

link
prohobo 102 days ago
I'm a little wary of this being regex-based; seems like it'd be too brittle for general use? But I really would need a tool like this to hook up to my vibecoding sessions.
link
yuvrajangads 99 days ago
fair point on regex being brittle for edge cases. it works well for the obvious patterns (empty catches, bare excepts, hardcoded secrets) but yeah it wont catch everything.

for vibe coding sessions thats actually the main use case i had in mind. run it after a generation pass to catch the low-hanging stuff before it gets committed. zero config so you can just pipe it in.

link