Stop shipping AI-generated code you haven't reviewed.
vibesafex catches the bugs your AI coding agent won't tell you about: hallucinated imports, hardcoded secrets, security vulnerabilities, and dead code.
Built for the vibe coding era. Works with code from Claude Code, Cursor, Copilot, Windsurf, and any AI coding tool.
pip install vibesafex
vibesafex scan .| Code | Category | Severity | What |
|---|---|---|---|
| VS100-VS110 | Security | error | eval(), exec(), shell=True, SQL injection, os.system(), unsafe YAML, weak hashes |
| VS200-VS210 | Secrets | error | OpenAI/AWS/GitHub/Anthropic/Stripe API keys, private keys, JWTs, hardcoded credentials |
| VS300 | Imports | warning | Hallucinated imports — packages that don't exist (AI's favorite mistake) |
| VS400-VS403 | Dead Code | warning | Unused imports, unreachable code, empty except: pass, bare except |
| VS500-VS507 | AI Patterns | warning | TODO/FIXME left by AI, placeholder functions, NotImplementedError stubs, mutable defaults, star imports |
vibesafex scan src/vibesafex scan main.py utils.pyecho 'x = eval(input())' | vibesafex checkvibesafex scan . --format jsonvibesafex scan . --severity error # Only errors
vibesafex scan . --fail-on warning # Fail CI on warnings toofrom vibesafex import scan_code, scan_file, scan_directory
# Scan a string
issues = scan_code('x = eval(input())')
for issue in issues:
print(f"{issue.code}: {issue.message}")
# Scan a file
issues = scan_file("main.py")
# Scan a project
result = scan_directory("src/")
print(f"{result.error_count} errors found in {result.files_scanned} files")from vibesafex import Scanner
scanner = Scanner(
severity_threshold="warning", # Skip info-level
exclude_dirs={".venv", "migrations"},
)
result = scanner.scan_directory(".")
✗ main.py:5:0 [error] VS100: Use of eval() - potential code injection vulnerability
✗ main.py:8:0 [error] VS200: Possible OpenAI API key
⚠ main.py:12:0 [warning] VS300: Import 'magic_ai_lib' - package 'magic_ai_lib' not found (hallucinated import?)
⚠ main.py:15:0 [warning] VS501: Function 'process' has empty body (pass) - placeholder
ℹ main.py:20:0 [info] VS500: TODO comment - AI may have left incomplete implementation
5 files scanned: 2 errors, 2 warnings, 1 info
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: vibesafex
name: vibesafex
entry: vibesafex scan --fail-on error
language: python
types: [python]
additional_dependencies: [vibesafex]vibesafex focuses specifically on AI-generated code patterns that traditional linters miss:
- Hallucinated imports: AI confidently imports packages that don't exist. vibesafex checks against stdlib, installed packages, and 200+ known popular packages.
- Secret leakage: AI copies real-looking API keys into code. vibesafex detects patterns for 12+ providers.
- Placeholder code: AI leaves
pass,...,NotImplementedErrorstubs that slip through review. - AI anti-patterns: Mutable defaults, star imports, excessive
Any— patterns AI generates more often than humans.
Use vibesafex alongside your existing linter, not instead of it.
Part of the stef41 LLM toolkit — open-source tools for every stage of the LLM lifecycle:
| Project | What it does |
|---|---|
| tokonomics | Token counting & cost management for LLM APIs |
| datacrux | Training data quality — dedup, PII, contamination |
| castwright | Synthetic instruction data generation |
| datamix | Dataset mixing & curriculum optimization |
| toksight | Tokenizer analysis & comparison |
| trainpulse | Training health monitoring |
| ckpt | Checkpoint inspection, diffing & merging |
| quantbench | Quantization quality analysis |
| infermark | Inference benchmarking |
| modeldiff | Behavioral regression testing |
| injectionguard | Prompt injection detection |
Apache 2.0