Unloveable: How Vibe Coding Could Destroy Your Business.

Engineers and Developers are not what's at risk. It's your businesses reputation that is. I am a mega-fan of AI accelerated software development, AI augmented writing, and AI for most forms of workflow optimization. I have over 2,500 commits to my GitHub over the last year alone. Thanks largely in part to AI enabled tools like Cursor. However, buyer beware. If your execs are forgoing that website modernization cause of something they made over the weekend, or If your AI consultant is pushing loveable, you should be concerned.

I sat in a pitch last week that should have been a sales call. Instead, I watched a man destroy his credibility in real time.

The gentleman had built an AI travel app. Credit card integration for rewards. Trip splitting with friends. Then the red flags started flying. He showed me his own version of WhatsApp built inside the app for coordinating with friends. More red flags when he demonstrated Netflix, YouTube, and Hulu streaming with family through the platform. I nearly walked out when he showed me photo and memory management features. The final straw: he had replicated all of Obsidian for notes, thoughts, plans, and to-do lists. Plus a nonprofit arm for charity donations.

His valuation estimate? "Over $4 billion".

"I have soft multi-million dollar commitments," he said. "Should close within the next week or two." The biggest red flag of all. When founders start saying "two weeks," you know you're dealing with fantasy.

I asked the obvious questions. How much has he raised officially? Zero. Revenue? None. Users? His friends like it, but no actual testing. When I asked to see the repo to determine how we could help, he revealed the truth: he built it all with Claude.

At least it wasn't Lovable.

The Marketing Machine Behind the Delusion

Today marketing types are pushing Lovable like they once pushed Canva. Same energy. Same promise of democratization. Same fundamental misunderstanding of what professional work actually requires.

Canva made acceptable graphics accessible to non-designers. Lovable makes acceptable demos accessible to non-engineers. The problem starts when people confuse the demo with the product.

Lovable explicitly markets itself to marketers as a way to launch "on-brand landing pages, interactive campaigns, and digital experiences without engineering bottlenecks." That positioning tells you everything. This is Canva for app-shaped things. Great for campaign pages, demos, internal mockups, and showing stakeholders what you mean.

But Canva never pretended to be Figma. Lovable positions itself as "the world's first AI Fullstack Engineer." That creates a dangerous social effect. Non-technical founders, marketers, and operators start believing they have crossed the gap from prototype to production simply because the UI is polished and the feature list sounds complete.

That is demo fluency. That is not engineering maturity.

The Security Nightmare Is Already Here

The public record on vibe coding security is ugly. MITRE/NVD lists CVE-2025-48757 for insufficient Row-Level Security in Lovable-generated projects. Lovable disputes responsibility and says customers are responsible for protecting their own app data.

Security researchers documented that a Lovable-hosted app exposed data from more than 18,000 users. Reports showed 16 vulnerabilities including six critical flaws. The UK NCSC warned this week that vibe coding poses real cyber risk because insecure, hard-to-maintain code is being produced faster than organizations can govern it.

Veracode's 2025 report found AI-generated code frequently fails security tests. Wiz reported that one in five organizations using vibe-coded apps were exposed to systemic risks. OX Security tested major AI app builders, including Lovable, and said every platform they tested failed a basic security test, even when explicitly asked to build a secure app.

The problem is structural. These tools are very good at producing something that looks complete long before it is actually safe.

The Walled Garden Trap

Lovable's own documentation reveals the soft lock-in strategy. They say you can sync code to GitHub, self-host, export data, and move away from the platform. Their docs claim they are "intentionally built so that you are never locked in."

But read the fine print. When you build with Lovable, your code lives inside the Lovable platform "perfect for most creators." GitHub sync is presented as the thing you do if you want your own copy, want to collaborate with developers, or want to move the project elsewhere.

That wording matters. The default mental model is builder convenience first, engineering escape hatch second. Lovable Cloud bundles database, auth, storage, edge functions, AI, logs, and secrets with "no infrastructure setup required." Cloud is enabled by default, and once a cloud region is selected, it cannot be changed and projects cannot be moved between regions.

Migration is portable in theory, but manual in practice. Their external deployment guide exists precisely because moving out requires hosting frontends elsewhere, moving backend/data, generating Docker deployments, and handling manual config for self-hosted Supabase.

You can leave anytime. Leaving is not operationally cheap.

The Hidden Costs Nobody Talks About

Lovable charges for build credits and meters cloud usage across compute, storage, network, and database resources. "Cheap because I didn't hire engineers" can turn into "expensive because nobody designed the system well."

Prompt loops, rework, duplicated logic, weak schemas, over-permissioned data access, and unnecessary runtime usage create hidden TCO that experienced engineers prevent up front. Lovable's own troubleshooting docs tell users to use "Try to Fix," revert and re-prompt, and break work down step by step because unexpected behavior is common.

That is acceptable in prototype land. That is not the operating model you want for production software assurance.

The Status Fantasy Problem

Public examples now celebrate things like "I one-shotted a full SaaS in Lovable" with auth, paywalls, onboarding, admin dashboards, and usage tracking. The ecosystem rewards overclaiming: "no code," "full SaaS," "production-ready," "didn't write a line of code," "shipped in hours," and "replace your dev team" messaging.

Reuters reported that the founder of Moltbook championed vibe coding and said he "didn't write one line of code." Wiz later found a major security hole exposing private data on the site.

That is the pattern. Bold public confidence. Weak operational controls. Users left holding the risk.

Where Lovable Actually Works

I have clients who use Lovable to communicate their ideas with me. This is fantastic. Tools like Cursor have an intimidating UI for non-technical people. Cursor looks like traditional coding tools, and for folks who have always been intimidated by development, that creates unnecessary friction.

Lovable excels as a high-speed prototype generator and communication layer. Perfect for marketers, founders, PMs, and non-engineers who need to express ideas visually and interactively. Useful for low-risk internal tooling and rough MVPs.

The danger starts when you handle user data, money, healthcare, education, identity, or anything customer-facing. Then you need adults in the room: senior engineering, AppSec, infra, data, and product people.

The Real Danger

The real danger is people using Lovable to cosplay as a software company. The tool is fine for rapid prototyping, internal tools with guardrails, and accelerating experienced teams. It becomes dangerous when sold as a substitute for software architecture, secure coding, production ops, QA, privacy engineering, or compliance.

Lovable itself says apps are "production-grade," but its own docs also push GitHub sync, external deployment, RLS review, security scans, audit logs, and even pentesting. That is the tell. The tool can generate code and infrastructure fast, but it does not remove the need for architecture, AppSec, DevOps, data governance, testing, or cost control.

The biggest delusion in vibe coding is completion bias: "it runs, therefore it is ready." Even Lovable's troubleshooting docs document that reliability and correctness do not fall out automatically from a few natural-language requests.

The Bottom Line

Software generation is not software engineering. Lovable is useful, but it is best understood as Canva for app-shaped prototypes. Their own docs show the pattern: generate fast in a managed all-in-one environment, then export, migrate, govern, and clean it up later.

That is great for marketers, demos, and cheap proof-of-concepts. Once the stakes involve customer data, regulated workflows, multi-team collaboration, infra policy, or long-term maintainability, the center of gravity needs to move to GitHub, real IDEs, proper review, architecture, testing, observability, and experienced engineers.

You are not democratizing software. You are democratizing breach liability.

I use AI to write these articles. I use it to code tools like The Interop, Cadderly, and more. I am not anti-ai when it comes to getting things done. I am anti-grifter, and you need to be careful.

Do your job or AI will replace you. That goes double for the marketing types pushing dangerous tools to clients who do not know better.