I Scanned 100 AI Codebases - Here's What I Found

I've been building VibeCheck for the past few months - it's a security scanner specifically for AI-generated code. And after scanning over a hundred real codebases that people built with Cursor, Copilot, Claude, and various other AI tools, I have thoughts. Not the "AI is dangerous" hot take. Something more specific than that. The pattern that kept showing up Almost every codebase had the same category of issue. Not SQL injection or XSS or anything that would show up in a classic OWASP checklist. The dominant problem was what I started calling trust misconfigurations - places where the code just... assumed everything was fine. Open CORS policies. Service accounts with admin permissions because that was the fastest path to getting it working. API keys hardcoded in config files that weren't in .gitignore. Input that got passed straight into shell commands with no sanitization. None of it was malicious. The AI wasn't trying to introduce vulnerabilities. It was just optimizing for "make it