[Editor’s Note: This is the fourth in a series by Oren Etzioni about AI usage and best practices.]
I’ve been coding since before most of today’s creators of vibe coding were born. So when I sat down to try out the latest vibe coding tools – Lovely, Code Claude, and the like – I was expecting a wireless ride. What I found was a negative detour through program management 101.
I want to reassure non-coders: it’s not you, it’s the tools. Coding with Vibe has a usability problem and a security challenge – and the former shouldn’t be solved without the latter.
Andrej Karpathy coined “vibe coding” in a now famous tweet on Feb. 2, 2025: “There’s a new kind of coding I call ‘vibe coding,’ where you fully embrace the vibes, embrace the exponentials, and forget the code exists anymore.” That’s a promise; the truth is really annoying.
Claude’s code would not run on my machine until I adjusted the PATH variable. (If you don’t know what the PATH variable is, that’s exactly the point of this story.) When I moved to Lovable to investigate the website, it asked me, almost immediately, about secrets and keys. I knew what it meant – and I knew what to do with them, which is its own kind of safety net. But what about the small business owner who wants to create a creative tool for his shop? My mother-in-law?
What vibe coding needs is its Windows era — the point where a powerful but arcane technology gets such a good user interface that the underlying machine disappears. Before Windows (and the Macintosh before it), using a personal computer meant typing obscure commands at a DOS prompt. Of course, Windows also opened the door to a flood of viruses. The Vibe code requires getting the ramp and seat belts together.
Today, prime time vibe codes meet the Great Wall of Jargon. In the first 10 minutes of trying to code a simple website, I met the criteria: secret, key, API key, token, environment variable, .env file, shell, terminal, command line, CLI, PATH, localhost, port, 127.0.0.1, repo, clone, commit, push, Node, npm, dependency, IDE, deployment, build, IDE build. Each is a small door that I had to find a key to. It’s not about what I wanted to build. Beginners are asked to learn another language before saying “Hello World.”
Justine Moore, a partner at Andreessen Horowitz who wrote the following piece about this usability barrier to vibe coding earlier this year, admits that her success rate on vibe coding projects is about 50-50.
“I spend a lot of time dragging screenshots and copying error messages into Cursor and asking for help,” Moore wrote. When the people whose job it is to invest in this category are looking at the screen, the audience that should be releasing the vibe coding is also struggling.
The data supports this. Stack Overflow’s 2025 Developer Survey of more than 49,000 developers found that, when asked about vibe code, 77% said it’s not part of their professional work. These are the experts – the people for whom this should be easy.
And among the audience that should benefit the most, the picture is no better. Bubble, a visual development platform with an obvious competitive interest in feedback, surveyed 793 developers who had tried both visual development and vibe coding tools and found that 90.6% stuck with visual development while only 25.6% stuck with vibe coding.
As Moore puts it: “Right now, vibe writing is a spectator sport for most Americans.”
Vibe coding companies know this and are working on it. Replit’s one-click release is the closest thing the current generation has to Windows — you hit “publish” and your app is there at the URL, no shell, no configuration, no Node installation. But this is the exception, not the rule. Cybersecurity, too, is up to you – a gap that the next generation of vibe code platforms will need to close.
How the on-ramp needs to look is clear enough. Setting the egg. Nothing can be included. No keys can be handled; the platform manages credentials behind the scenes. There is no separate step to be served; when you’re done, the item is in the URL, full stop. The default for reasonable security is baked in, not access – because a ramp with no guardrails is worse than no access at all.
None of this is easy. Hiding machines requires solving real problems – data management, sandboxing, automated deployment – which is really hard. But hard problems are exactly where startups are born.
Moore ends his piece with a powerful observation: every Unix command, as Matt Rickard noted years ago in a much-cited essay, is ultimately a beginning. Squarespace has made websites for you. Canva has designed for you. A company that does vibe coding for you will do at least something great. There is no ramp. Whoever builds it will transform an art that today requires patience and perseverance into something that millions of people can do in their spare time. But getting there will require more than an on-ramp.
The on-ramp takes you to the road. It doesn’t teach you to drive. As non-coders send more and more home-grown applications, we can expect some risks – even dangerous ones. The Tea App, an app designed to help women stay safe on dates, is reportedly built largely on vibe coding; its creators have stored 72,000 driver’s license photos on a very open database. They weren’t bad people, but they didn’t understand internet security.
The next generation of vibe code platforms should refuse to ship an app with a wide open database the way a modern car refuses to shift gears when your foot isn’t on the brake — automatically. For minor faults, such as software the size of an unfastened seat belt, the forums should beep until you fix the problem.
The time Windows needs is not just an on-ramp. It’s an on-ramp with best practices baked into it.
Read more about Oren Etzioni’s views on AI:
- AI Trainer or AI Ghostwriter? Your Own Choice
- How to learn about AI
- AI best practices: If at first you don’t succeed, hurry, hurry again
- The AI capex conundrum
[Editor’s note: GeekWire publishes guest opinion pieces representing a range of perspectives. The views expressed are those of the author.]
