Vibe Coding: How AI Agents Are Changing Software Development

In January 2026, I started seriously working with AI coding tools -- not as a novelty, but as part of my regular workflow. What I experienced surprised me: not because the tools are so good, but because they allow a solo developer to do things that previously would have required an entire team.

This article is an honest account -- with specific tools, concrete results, and a critical look at the security risks.

What Is Vibe Coding?¶

The term was coined by Andrej Karpathy -- AI researcher, OpenAI co-founder, and former Tesla AI lead. In February 2025, he described a new way of programming: you give the AI an intent, an idea, a "vibe" -- and the AI generates the code. You barely read the code anymore; you check whether it does what you wanted.

Collins English Dictionary named "Vibe Coding" the word of the year 2025. The definition: Software development through natural language instructions to AI systems, where the developer evaluates the output rather than writing the code themselves.

The core idea is enticing: as a solo developer, you can implement ideas that previously would have required a team. You are no longer limited by typing speed or language skills, but by the quality of your thoughts.

Results can only be as precise as the inputs are detailed.

That sounds trivial, but it is the most important statement in vibe coding. Whoever writes vague prompts gets vague code. Whoever describes precisely what they want -- including context, constraints, and edge cases -- gets surprisingly good results.

Tool Overview: What's Available and What It Costs¶

Why I Chose Claude Code¶

After testing several tools, I settled on Claude Code -- the terminal-native agent from Anthropic. The reasons:

• Token efficiency: According to independent analyses, Claude Code is approximately 5.5x more token-efficient than Cursor for comparable tasks. This directly impacts costs.
• Task success rate: In benchmarks, Claude Code achieves a success rate of ~93% on well-defined coding tasks.
• Terminal proximity: As someone who already works on the command line, a terminal agent feels more natural than a dedicated IDE fork.
• Context management: Through CLAUDE.md files in the project directory, you can permanently store project context, coding standards, and behavioral rules -- the agent reads them at every start.

Cursor is nevertheless an excellent tool, especially if you prefer to stay in the editor and appreciate the visual diff view.

Using AI Agents Effectively: Methods and Tips¶

1. CLAUDE.md / Custom Instructions: Context Is Everything¶

The most important thing when working with AI agents is persistent context. For Claude Code, this means a CLAUDE.md file in the project root:

# Projektname - KI-Kontext

## Tech Stack
- Symfony 6, PHP 8.2, Bootstrap 5.3
- DDEV für lokale Entwicklung
- MariaDB 10.11, keine Raw SQL

## Coding-Standards
- PSR-12, declare(strict_types=1) immer in eigener Zeile
- Keine magic strings, Enums bevorzugen
- Kommentare auf Englisch

## Verboten
- Keine direkten DB-Queries außerhalb von Repositories
- Keine var_dump() im Code lassen

Cursor uses .cursor/rules/ with a similar principle. Those who maintain these files save time in every conversation with the agent, because you no longer have to explain what has always been true.

2. MCP Servers: Equipping the Agent with Tools¶

MCP (Model Context Protocol) is an open standard that allows AI agents to use external tools: database access, API calls, browser control, file system operations.

Useful MCP servers for local development:

• Filesystem MCP: Direct read/write access to the project directory
• GitHub MCP: Read issues, create PRs, comment on code reviews
• Browser MCP: Automated browsing for research or screenshot comparisons
• Database MCP: Schema queries, query generation with real schema context

3. Detailed Prompts: Quality Over Speed¶

The most common mistake in vibe coding: prompts that are too short. "Build me a contact form" is not a good prompt. A good prompt specifies:

• Which fields the form should have
• Which validation rules apply
• Which framework/patterns should be used
• What happens afterward (email, database, redirect)
• What error handling is desired

The time invested in a good prompt pays off immediately: less rework, fewer misunderstandings.

4. Code Review Remains Mandatory¶

Vibe coding does not mean you never read the generated code. 45% of AI-generated code contains OWASP Top 10 vulnerabilities -- this is not an outlier, this is the current state of the art. LLMs prioritize working code over secure code, because their training data reflects this.

What you should always check:

• SQL queries: parameterization instead of string concatenation?
• User input: is it validated and escaped?
• Secrets: did the agent accidentally hardcode API keys?
• Dependencies: were new packages added that haven't been reviewed?

openClaw: Why I Don't Recommend It¶

openClaw (originally ClawDBot, renamed multiple times due to trademark pressure) is an open-source AI agent framework that went viral in late January 2026: over 180,000 GitHub stars and more than two million visitors in a single week. The tool connects an LLM with a persistent execution environment -- the agent runs shell commands, reads and modifies files, sends emails, browses the web, and manages OAuth-connected services.

However, the popularity has brought massive security problems to light:

CVE-2026-25253: One-Click Remote Code Execution¶

In January 2026, a critical vulnerability (CVSS 8.8) was discovered: a single manipulated link was enough to gain full control of an openClaw instance. The attack chain:

1. Token exfiltration via forged gatewayUrl parameters in the link
2. Cross-Site WebSocket Hijacking -- the WebSocket server did not validate Origin headers
3. Gateway takeover with stolen tokens -- full access to all agent functions

Localhost binding alone does not protect -- the exploit uses the victim's browser as a pivot point.

ClawHavoc: Supply Chain Attack on the Skills Marketplace¶

An analysis of the ClawHub skills marketplace (comparable to a plugin store) by security researchers at Koi Security revealed alarming numbers: of the original 2,857 skills, 341 were malicious -- approximately 12% of the entire registry. By mid-February 2026, the number of confirmed malicious skills had grown to over 824 out of 10,700+ (around 20%).

A single user ("hightower6eu") uploaded 354 malicious packages in an automated blitz. The disguise: fake "Prerequisites" sections that instructed users to execute shell commands. Target categories included crypto wallets, YouTube tools, finance, and social media utilities.

The primary payload: Atomic macOS Stealer (AMOS) -- a commodity infostealer that exfiltrates iCloud Keychain passwords, browser cookies, crypto wallets (60+ types), SSH keys, and Telegram sessions. On Windows, a VMProtect-shielded stealer with keylogger and RAT functionality was distributed.

Architectural Weaknesses¶

• Plaintext credentials: API keys and OAuth tokens are stored in plaintext files under ~/.openclaw/ -- easy pickings for infostealers
• Prompt injection: The agent inherently processes untrusted content (emails, web pages). Hidden instructions manipulate the LLM
• Memory poisoning: The campaign also targeted persistent memory files (SOUL.md, MEMORY.md) to permanently alter agent behavior
• 42,665 exposed instances on the internet, of which 5,194 were actively vulnerable (93.4% with authentication bypass)

Palo Alto Networks has mapped openClaw to every category of the OWASP Top 10 for Agentic Applications. Kaspersky identified 512 vulnerabilities, eight of which were rated critical.

Assessment: Flare Threat Intelligence Analysis¶

An analysis by the threat intelligence platform Flare, published in February 2026 and based on 2,764 records from underground forums and Telegram channels, shows: The security community is currently discussing openClaw far more than it is actually being exploited by threat actors. There are real supply chain risks, but no mass criminal operationalization yet.

The most important warning: Historically, this phase often precedes actual weaponization by only weeks or months. Automation platforms with plugin ecosystems become high-value targets long before organizations realize that their employees are already using these tools at scale ("Shadow AI").

If You Still Want to Use openClaw¶

Those who want to test openClaw under controlled conditions should at minimum:

# Nur auf localhost binden, nie auf 0.0.0.0
openclaw --bind 127.0.0.1 --port 18789

# Netzwerk-Segmentierung: nur im lokalen Dev-Netz
# Keine Produktion, kein Server mit echten Daten

Additional measures:

• Credential rotation for all connected services after every session
• Treat skills as third-party code: manually read source code before installation
• Isolated deployment in a VM or container, never on the main development machine
• Regularly check ~/.openclaw/ directories for suspicious changes

My Conclusion After the First Few Weeks¶

Vibe coding is not a hype that will pass. It fundamentally changes what a solo developer can accomplish. The quality of results depends directly on the quality of context and prompts -- whoever understands this can use the tools effectively.

What surprised me the most: the biggest productivity gains come not from new features, but from routine work -- writing tests, performing refactorings, creating documentation, understanding bugs in unfamiliar code. Things that used to take a lot of time because they were important but unexciting.

What hasn't changed: the responsibility for the code still lies with the developer. AI agents are powerful tools -- but tools, not colleagues. Knowing the difference is the most important part of the craft.